Hi,

I've been bashing my head over getting a "dial out" IPSec VPN connection to a customer Cisco ASA working, and after searching fruitlessly through the Draytek support guides and the rest of the web I thought I'd try here in the forums. Would appreciate any help, even if it ends up being a "it's not possible" answer ...

I'm trying to get a LAN to LAN IPSec connection from a Vigor 2830 to connect to the Cisco ASA using a pre-shared key config with no authentication. The customer site is using the public IP address of the Draytek router to handle the crypto map assignment, and while the phase 1 connection is successful the Cisco is dropping the connection at the phase 2 exchange as the Draytek is sending it's internal network. The customer policy is to not use internal IP address routing, and instead our traffic needs to be seen as coming from our public IP address, so is a PAT (or NAT?) connection rather than routing.

I've managed to get a screenshot from the customer of the ASA error log and after the phase 1 completed the next log entry looks like (where 1.2.3.4 is the public IP address of the Draytek, and w.x.y.z is the internal IP in the LAN to LAN settings on the Draytek, and 9.8.7.6 is the remote site internal network):

Group = 1.2.3.4, IP=1.2.3.4, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy w.x.y.z/255.255.255.0/0/0 local proxy 9.8.7.6/255.255.255.0/0/0 on ...

which according the customer IT guy means that the Draytek is sending the "Local Network IP" which isn't valid in the Cisco configuration. I've ticked and unticked every option I can find in the 2830 and nothing seems to make a difference.

Is it possible to use a Vigor 2830 to connect to a Cisco ASA in this type of IPSec configuration, where the crypto ACL for the remote network is the public address?

Dan

dansorion wrote: ...where the crypto ACL for the remote network is the public address?

I've no idea what that means

but, it seems that Draytek 2830's and Cisco ASA's will talk to oneanother - see the reply in this thread: https://supportforums.cisco.com/t5/vpn/cisco-asa-lan-to-lan-vpn-with-draytek-2930/td-p/1914975

hornbyp wrote:

dansorion wrote: ...where the crypto ACL for the remote network is the public address?

I've no idea what that means

but, it seems that Draytek 2830's and Cisco ASA's will talk to oneanother - see the reply in this thread: https://supportforums.cisco.com/t5/vpn/cisco-asa-lan-to-lan-vpn-with-draytek-2930/td-p/1914975

Unfortunately that's a configuration where the ASA is allowing traffic from the internal IP range at the remote site to the internal IP range at the local site. This isn't an option in the situation with my customer, they won't allow that configuration - if they did it'd be easy getting things working as that URL is one of the many I've come across in the last few days trying to resolve this. Thanks for trying though.

Dan

I reckon the 'Customer IT guy' just needs to add a "matching crypto map entry" to his Cisco :wink:

Would changing the 2830's "Route | Nat" option change anything? (i.e. setting it to NAT)



(You've probably already tried this!)

Already tried the Route/NAT setting a few times, seems to make no difference. Thanks for suggesting it though.

The Cisco end is apparently set up correctly - the customer refuses to allow our private addresses to be routed onto their network, and I can see their point when they have a large number of VPN connections coming in from various sources. It just appears that the Vigor 2830 isn't sending the data packets over the VPN connection during phase 2 with the public IP address from the WAN port, it's sending the private internal address range no matter what the route/NAT option is set to.

It isn't help that the Vigor diagnostics don't show the underlying traffic, just the following:

 2017-11-06 15:57:36 Client L2L remote network setting is 9.8.7.0/24
 2017-11-06 15:57:36 Start IKE Quick Mode to a.b.c.d
 2017-11-06 15:57:36 ISAKMP SA established with a.b.c.d. In/Out Index: 0/-1
 2017-11-06 15:57:36 ISAKMP SA #211 will be replaced after 21488 seconds
 2017-11-06 15:57:35  Initiating IKE Main Mode to a.b.c.d
 2017-11-06 15:57:35  Re-dial L2L[1], ifno: 10, status: 0 from WEB...

where a.b.c.d is the public IP address of the Cisco ASA, and 9.8.7.0/24 is the remote internal network address range. At this point nothing further is logged. It was only by getting the customer IT to run a trace on their logging while trying to connect that I found out that the Vigor was sending the local internal IP range in the phase 2 communications, and that was being rejected by the ASA. If I had an ASA I could get it working as they've already sent me the config that would be needed, but I've got a vigor 2830 here that is used for all current traffic in and out of the network. If I can't get it to work though I'll have to look at other options, possibly a different Vigor if there are any capable of IPSec using Port Address Translation ...

Dan

Just noticed I never followed this topic up with the solution. I managed to get in touch with one of the Cisco ASA guys at our customer and via the logs trace the source of the issue, partly due to a misconfiguration at the ASA end (doh!), but at the Vigor 2830 we figured out that we had to setup the connection as NAT with the Local IP set to the external IP address of the Vigor - and it all sprang to life! The Remote VPN Gateway was set to the outside address of the customer router, and the Remote Gateway IP to the LAN address at the customer site that we were connecting to. Once I'd added a route to Windows so that packets to the customer LAN IP address were sent to the Vigor internal interface address the tunnel came up.

Dan