DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Cisco ASA 1942 <=> Draytek 3900 with two subnets
- rmorris@plumtreegroup.com
- Topic Author
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
30 Jul 2014 13:45 #80823
by rmorris@plumtreegroup.com
Cisco ASA 1942 <=> Draytek 3900 with two subnets was created by rmorris@plumtreegroup.com
Hello,
I have a similar issue to the poster of this topic - Multiple local networks over VPN?
http://forum.draytek.co.uk/viewtopic.php?f=8&t=19509
I'm trying to configure a VPN between Site B with a Cisco 1941 ASA and Site A with a Draytek 3900 where the computers on Site B can access both local subnets on Site A. Currently I can only get to the first subnet on the Draytek router (which is the one explicitly configured in the VPN config on the Draytek Router) from the Cisco router.
Presumably because I can't find anywhere in the Draytek to list a 2nd subnet to be pushed to the Cisco as part of the VPN negotiation, a route needs to be explicitly set on the Cisco device to send traffic down the VPN. Does anyone know what needs adding to the config?
Site A
Draytek 3900 Firmware 1.0.7.1
Subnets 172.31.0.0/20
192.168.0.1/24
VPN Configuration
Local IP/Subnet 172.31.0.0/20
Remote Subnet 192.168.11.0
Auth Type PSK
Phase1 Key Life 86400
Phase2 Key Life 3600
PFS Disabled
DPD Enabled
DPD Delay 30
DPD Timeout 120
Source IP auto_detect_scrip
GRE Disabled
IKE Phase1 Proposal 3DES_G5
IKE Phase1 Authentication ALL
IKE Phase2 Proposal 3DES_with_auth
IKE Phase2 Authentication ALL
Accepted Proposal acceptall
Site B
Cisco 1941 ASA Firmware 15.1
Subnet 192.168.11.0/24
crypto isakmp key xxxxxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set draytek esp-3des esp-md5-hmac
crypto map CSM_CME_GigabitEthernet0/0 100 ipsec-isakmp
description Tunnel toxx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set draytek
match address 102
access-list 102 remark SiteA
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.11.0 0.0.0.255 172.31.0.0 0.0.15.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255
I have a similar issue to the poster of this topic - Multiple local networks over VPN?
I'm trying to configure a VPN between Site B with a Cisco 1941 ASA and Site A with a Draytek 3900 where the computers on Site B can access both local subnets on Site A. Currently I can only get to the first subnet on the Draytek router (which is the one explicitly configured in the VPN config on the Draytek Router) from the Cisco router.
Presumably because I can't find anywhere in the Draytek to list a 2nd subnet to be pushed to the Cisco as part of the VPN negotiation, a route needs to be explicitly set on the Cisco device to send traffic down the VPN. Does anyone know what needs adding to the config?
Site A
Draytek 3900 Firmware 1.0.7.1
Subnets 172.31.0.0/20
192.168.0.1/24
VPN Configuration
Local IP/Subnet 172.31.0.0/20
Remote Subnet 192.168.11.0
Auth Type PSK
Phase1 Key Life 86400
Phase2 Key Life 3600
PFS Disabled
DPD Enabled
DPD Delay 30
DPD Timeout 120
Source IP auto_detect_scrip
GRE Disabled
IKE Phase1 Proposal 3DES_G5
IKE Phase1 Authentication ALL
IKE Phase2 Proposal 3DES_with_auth
IKE Phase2 Authentication ALL
Accepted Proposal acceptall
Site B
Cisco 1941 ASA Firmware 15.1
Subnet 192.168.11.0/24
crypto isakmp key xxxxxxxxxxx address xx.xx.xx.xx no-xauth
crypto ipsec transform-set draytek esp-3des esp-md5-hmac
crypto map CSM_CME_GigabitEthernet0/0 100 ipsec-isakmp
description Tunnel toxx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set draytek
match address 102
access-list 102 remark SiteA
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.11.0 0.0.0.255 172.31.0.0 0.0.15.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255
Please Log in or Create an account to join the conversation.
- andyhud
- Offline
- Junior Member
Less
More
- Posts: 29
- Thank you received: 0
20 Jan 2016 16:52 #85134
by andyhud
Replied by andyhud on topic Re: Cisco ASA 1942 <=> Draytek 3900 with two subnets
Hi there
Did you get this working in the end?
I have a 3900 in one site with 5/6 different subnets (192.168.50.X / 51.X / 52.X etc) and a Draytek 2860 at the other
I have an IPSec VPN working between them on their primary networks
3900 Site: 192.168.50.X
2860 Site: 192.168.60.X
and I have added the other subnets in the 3900 site into the 2860 in the remote site under "More" in the VPN settings, but the additional tunnels dont come up
I was under the impression you had to specify all your LOCAL subnets on the 3900 side also... as I only have 1 subnet listed in there
Any ideas?
Andy
Did you get this working in the end?
I have a 3900 in one site with 5/6 different subnets (192.168.50.X / 51.X / 52.X etc) and a Draytek 2860 at the other
I have an IPSec VPN working between them on their primary networks
3900 Site: 192.168.50.X
2860 Site: 192.168.60.X
and I have added the other subnets in the 3900 site into the 2860 in the remote site under "More" in the VPN settings, but the additional tunnels dont come up
I was under the impression you had to specify all your LOCAL subnets on the 3900 side also... as I only have 1 subnet listed in there
Any ideas?
Andy
Please Log in or Create an account to join the conversation.
- richardmorris
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
20 Jan 2016 19:22 #85137
by richardmorris
Replied by richardmorris on topic Re: Cisco ASA 1942 <=> Draytek 3900 with two subnets
Hi Andy,
I never managed to get it working with a Cisco Router.
Draytek to Draytek is usually far more straight forward, you usually don't need the 2nd tunnel creating.
When the tunnel is connected, have a look at the routing tables of the two routers, on the 3900 I'd expect to see something like this:
192.168.60.X <3900 WAN GW> <2860 LAN1 SUBNET MASK> UG 0 wan-wan1
on the 2860 I'd expect to see (if you had 192.168.50.0 as the 1st lan listed, and only 192.168.51.0 was included in the More subnets section).
S~ 192.168.50.0/ 255.255.255.0 via <3900 WAN IP> VPN-2
S~ 192.168.51.0/ 255.255.255.0 via <3900 WAN IP> VPN-2
If those are listed the VPN is connected, I'd have a look at any firewall settings that might be filtering the traffic.
Kind Regards
Richard
I never managed to get it working with a Cisco Router.
Draytek to Draytek is usually far more straight forward, you usually don't need the 2nd tunnel creating.
When the tunnel is connected, have a look at the routing tables of the two routers, on the 3900 I'd expect to see something like this:
192.168.60.X <3900 WAN GW> <2860 LAN1 SUBNET MASK> UG 0 wan-wan1
on the 2860 I'd expect to see (if you had 192.168.50.0 as the 1st lan listed, and only 192.168.51.0 was included in the More subnets section).
S~ 192.168.50.0/ 255.255.255.0 via <3900 WAN IP> VPN-2
S~ 192.168.51.0/ 255.255.255.0 via <3900 WAN IP> VPN-2
If those are listed the VPN is connected, I'd have a look at any firewall settings that might be filtering the traffic.
Kind Regards
Richard
Please Log in or Create an account to join the conversation.
- andyhud
- Offline
- Junior Member
Less
More
- Posts: 29
- Thank you received: 0
21 Jan 2016 08:30 #85142
by andyhud
Replied by andyhud on topic Re: Cisco ASA 1942 <=> Draytek 3900 with two subnets
Hey Richard
Thanks for getting back to me.
I have got it working but not the additional subnets yet for some reason
I'm using GRE alongside IPSec because the Site with the 3900 has 2 VSDL Circuits and the site with the 2860 only has 1 VSDL circuit
Both are up and load balanced and if I drop one of the links on the 3900 site the link stays up and vica versa but for that you need the GRE piece
What I can't get working with the additional subnets. Despite what you say of adding 192.168.51.X (and ticked Create Phase 2 SA) in the "more" button on the 2860 (Remote) site, I still can't ping anything on the 3900 side. Obviously I can ping the stuff locally, and from the 3900 to the stuff on the LAN also, so thats good, its just from the remote site
I can't get my head around how you don't have to specify these additional LOCAL subnets on the 3900 side. Its very confusing because in the VPN tunnel settings obviously only 1 LAN Subnet (192.168.50.x /24) is defined. But then hey, there is nowhere to even specify additional Local Subnets!
Any ideas?
Cheers again!
Andy
Thanks for getting back to me.
I have got it working but not the additional subnets yet for some reason
I'm using GRE alongside IPSec because the Site with the 3900 has 2 VSDL Circuits and the site with the 2860 only has 1 VSDL circuit
Both are up and load balanced and if I drop one of the links on the 3900 site the link stays up and vica versa but for that you need the GRE piece
What I can't get working with the additional subnets. Despite what you say of adding 192.168.51.X (and ticked Create Phase 2 SA) in the "more" button on the 2860 (Remote) site, I still can't ping anything on the 3900 side. Obviously I can ping the stuff locally, and from the 3900 to the stuff on the LAN also, so thats good, its just from the remote site
I can't get my head around how you don't have to specify these additional LOCAL subnets on the 3900 side. Its very confusing because in the VPN tunnel settings obviously only 1 LAN Subnet (192.168.50.x /24) is defined. But then hey, there is nowhere to even specify additional Local Subnets!
Any ideas?
Cheers again!
Andy
Please Log in or Create an account to join the conversation.
- richardmorris
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
21 Jan 2016 10:12 #85145
by richardmorris
Replied by richardmorris on topic Re: Cisco ASA 1942 <=> Draytek 3900 with two subnets
Hi Andy,
I don't think the tick in Create Phase 2 SA is needed. Try taking it out and bringing the VPN up again.
Once the VPN is up, what entries do you have in the routing table on the 2860?
Kind Regards
Richard
I don't think the tick in Create Phase 2 SA is needed. Try taking it out and bringing the VPN up again.
Once the VPN is up, what entries do you have in the routing table on the 2860?
Kind Regards
Richard
Please Log in or Create an account to join the conversation.
- andyhud
- Offline
- Junior Member
Less
More
- Posts: 29
- Thank you received: 0
21 Jan 2016 10:23 #85146
by andyhud
Replied by andyhud on topic Re: Cisco ASA 1942 <=> Draytek 3900 with two subnets
Hi Richard
Yep, that did it. I just unticked the Create Phase 2 SA box and then just rebooted the 2860 (better to be safe than sorry!)
I can now ping the other subnet from the remote site and in the routing table it has it listed as traversing VPN-2 (just like the 192.168.50.x range)
Thankyou very much for your help mate!
Makes me wonder why that tick box for the Create Phase 2 SA is even there!?!
Cheers!
Andy
Yep, that did it. I just unticked the Create Phase 2 SA box and then just rebooted the 2860 (better to be safe than sorry!)
I can now ping the other subnet from the remote site and in the routing table it has it listed as traversing VPN-2 (just like the 192.168.50.x range)
Thankyou very much for your help mate!
Makes me wonder why that tick box for the Create Phase 2 SA is even there!?!
Cheers!
Andy
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek