Cisco – LAN to LAN (Tunnel) VPN with IPSec

ciscodraytekipseclocal-area-networkvpn

I'm having some issues setting up a LAN-to-LAN VPN.

Please keep in mind, that "the other side" won't change anything in their configuration.

This is my current setup:

Our side:

Router: Draytek 2820 (ADSL connected)
ADSL: Fixed IP address (using 1.1.1.1 as example here)
Draytek Primary IP: 192.168.19.254; Netmask 255.255.255.0

Internal network 1: 192.168.1.x
SMC Broadband Router: 192.168.1.2 (LAN) and 192.168.19.252 (WAN)

Internal network 2: 192.168.0.x
SBS Server with 2 NIC's. LAN on 192.168.0.x and WAN on 192.168.19.250 <- Requested by "the other side"

(There's a direct link between the Draytek router and this SBS Server on 192.168.19.x)

On the other side the information given was
(shown as received via e-mail):

Peer "Their Side": 2.2.2.2 (as example of course)
Peer "Our Side": 1.1.1.1
LAN OurSide: 192.168.19.128/25 (Between SBS Server and Router)
LAN TheirSide: 10.0.0.0/20
Preshared Key: ABCDEFGHIJ
Authentication: ESP/MD5/HMAC-128
Encryption: 3DES-168
IKE Proposal: IKE-3DES-MD5
IPSec Nat-T
Server: 192.168.19.250 (SBS Server)

Also, they've send us a printscreen where we can see:

Digital Certificate: None (Use preshared keys)
Certificate Transmission: Identity certificate only
Filter: 10.0.10.217
Local Network:
 IP: 10.0.0.0
 Wildcard Mask: 0.0.15.255
Remote Network:
 IP: 192.168.19.128
 Wildcard Mask: 0.0.0.127

I just can't get this to work. I only need the VPN to establish connection, or if this Draytek model (2820) can establish such connection, after that, the remaining configurations would be easy, don't mind the initial setup (3 different networks), that, I can take care, the VPN… not.
The old router on our side, was a CISCO, and was setted up by other people.

However, we don't have access to it. This CISCO was connected on a different ADSL line also with fixed IP.

The "other side" support guy, told me that the request was reaching their network, however, doesn't met requirements sent and as such… no access.

He won't give further help, it's like a mechanic telling you that the car doesn't work but you don't know if it is because of a empty tank or a broken motor.

Any help?

Best Answer

SOLVED

After all, Draytek 2820 didn't support NAT-T without making a few changes via telnet.

srv nat ipsecpass off

This, and setting my public IP in some obscure IPSEC settings.

Related Topic