Hello,

I have a similar issue to the poster of this topic - Multiple local networks over VPN? http://forum.draytek.co.uk/viewtopic.php?f=8&t=19509



I'm trying to configure a VPN between Site B with a Cisco 1941 ASA and Site A with a Draytek 3900 where the computers on Site B can access both local subnets on Site A. Currently I can only get to the first subnet on the Draytek router (which is the one explicitly configured in the VPN config on the Draytek Router) from the Cisco router.

Presumably because I can't find anywhere in the Draytek to list a 2nd subnet to be pushed to the Cisco as part of the VPN negotiation, a route needs to be explicitly set on the Cisco device to send traffic down the VPN. Does anyone know what needs adding to the config?

Site A

Draytek 3900 Firmware 1.0.7.1
Subnets 172.31.0.0/20
192.168.0.1/24

VPN Configuration

Local IP/Subnet 172.31.0.0/20
Remote Subnet 192.168.11.0
Auth Type PSK

Phase1 Key Life 86400
Phase2 Key Life 3600
PFS Disabled
DPD Enabled
DPD Delay 30
DPD Timeout 120
Source IP auto_detect_scrip

GRE Disabled

IKE Phase1 Proposal 3DES_G5
IKE Phase1 Authentication ALL
IKE Phase2 Proposal 3DES_with_auth
IKE Phase2 Authentication ALL
Accepted Proposal acceptall

Site B

Cisco 1941 ASA Firmware 15.1
Subnet 192.168.11.0/24

crypto isakmp key xxxxxxxxxxx address xx.xx.xx.xx no-xauth

crypto ipsec transform-set draytek esp-3des esp-md5-hmac

crypto map CSM_CME_GigabitEthernet0/0 100 ipsec-isakmp
description Tunnel toxx.xx.xx.xx
set peer xx.xx.xx.xx
set transform-set draytek
match address 102

access-list 102 remark SiteA
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.11.0 0.0.0.255 172.31.0.0 0.0.15.255
access-list 102 permit ip 192.168.11.0 0.0.0.255 192.168.0.0 0.0.0.255

Hi there

Did you get this working in the end?

I have a 3900 in one site with 5/6 different subnets (192.168.50.X / 51.X / 52.X etc) and a Draytek 2860 at the other

I have an IPSec VPN working between them on their primary networks

3900 Site: 192.168.50.X
2860 Site: 192.168.60.X

and I have added the other subnets in the 3900 site into the 2860 in the remote site under "More" in the VPN settings, but the additional tunnels dont come up

I was under the impression you had to specify all your LOCAL subnets on the 3900 side also... as I only have 1 subnet listed in there

Any ideas?

Andy

Hi Andy,

I never managed to get it working with a Cisco Router.

Draytek to Draytek is usually far more straight forward, you usually don't need the 2nd tunnel creating.

When the tunnel is connected, have a look at the routing tables of the two routers, on the 3900 I'd expect to see something like this:

192.168.60.X <3900 WAN GW> <2860 LAN1 SUBNET MASK> UG 0 wan-wan1

on the 2860 I'd expect to see (if you had 192.168.50.0 as the 1st lan listed, and only 192.168.51.0 was included in the More subnets section).

S~ 192.168.50.0/ 255.255.255.0 via <3900 WAN IP> VPN-2
S~ 192.168.51.0/ 255.255.255.0 via <3900 WAN IP> VPN-2

If those are listed the VPN is connected, I'd have a look at any firewall settings that might be filtering the traffic.

Kind Regards

Richard

Hey Richard

Thanks for getting back to me.

I have got it working but not the additional subnets yet for some reason

I'm using GRE alongside IPSec because the Site with the 3900 has 2 VSDL Circuits and the site with the 2860 only has 1 VSDL circuit

Both are up and load balanced and if I drop one of the links on the 3900 site the link stays up and vica versa but for that you need the GRE piece

What I can't get working with the additional subnets. Despite what you say of adding 192.168.51.X (and ticked Create Phase 2 SA) in the "more" button on the 2860 (Remote) site, I still can't ping anything on the 3900 side. Obviously I can ping the stuff locally, and from the 3900 to the stuff on the LAN also, so thats good, its just from the remote site

I can't get my head around how you don't have to specify these additional LOCAL subnets on the 3900 side. Its very confusing because in the VPN tunnel settings obviously only 1 LAN Subnet (192.168.50.x /24) is defined. But then hey, there is nowhere to even specify additional Local Subnets!

Any ideas?

Cheers again!

Andy

Hi Andy,

I don't think the tick in Create Phase 2 SA is needed. Try taking it out and bringing the VPN up again.

Once the VPN is up, what entries do you have in the routing table on the 2860?

Kind Regards

Richard

Hi Richard

Yep, that did it. I just unticked the Create Phase 2 SA box and then just rebooted the 2860 (better to be safe than sorry!)

I can now ping the other subnet from the remote site and in the routing table it has it listed as traversing VPN-2 (just like the 192.168.50.x range)

Thankyou very much for your help mate!

Makes me wonder why that tick box for the Create Phase 2 SA is even there!?!

Cheers!

Andy