Draytek <-> Cisco VPN Query
Morning All,
As I sit here in the middle of a nightshift, I am scratching my head regarding a problem with a Draytek <-> Cisco VPN where the Draytek is on a dynamic IP. I'm hoping someone can offer some pointers.
So at one end I have a Cisco 837 on a static IP. At the other, a Draytek 2820 on a dynamic IP. The objective is to create a VPN between them. I am aware that dynamic IPs are not good for LAN-to-LAN VPNs but I don't have a choice. I also understand that the Cisco IOS does support the use of dynamic hostnames in peer addresses. The Draytek has been configured with a DDNS hostname.
After some tinkering, I have a VPN established between the two using 3DES and SHA1 authentication. The "catch" is that on the Cisco router, I have to specify the IP address of the Draytek in the "crypto key" section before the VPN will establish:-
If I try to use the hostname in the crypto key command the VPN will fail to establish.
Looking at the "debug crypto isakmp" logs on the Cisco, it appears that when I use the hostname it does not see a pre-shared key. The Cisco resolves the hostname to the correct IP address.
Could this be a bug in the IOS or am I trying to do the impossible. Searching Cisco bug toolkit and Google is not being very helpful at the moment. Cisco is running c837-k9o3sy6-mz.124-17.bin.
Thanks,
As I sit here in the middle of a nightshift, I am scratching my head regarding a problem with a Draytek <-> Cisco VPN where the Draytek is on a dynamic IP. I'm hoping someone can offer some pointers.
So at one end I have a Cisco 837 on a static IP. At the other, a Draytek 2820 on a dynamic IP. The objective is to create a VPN between them. I am aware that dynamic IPs are not good for LAN-to-LAN VPNs but I don't have a choice. I also understand that the Cisco IOS does support the use of dynamic hostnames in peer addresses. The Draytek has been configured with a DDNS hostname.
After some tinkering, I have a VPN established between the two using 3DES and SHA1 authentication. The "catch" is that on the Cisco router, I have to specify the IP address of the Draytek in the "crypto key" section before the VPN will establish:-
!crypto isakmp key Test1234 address 176.xxx.xxx.118 !
If I try to use the hostname in the crypto key command the VPN will fail to establish.
! crypto isakmp key Test1234 hostname REMOVED.dynamic-dns.net !
Looking at the "debug crypto isakmp" logs on the Cisco, it appears that when I use the hostname it does not see a pre-shared key. The Cisco resolves the hostname to the correct IP address.
.Dec 23 03:48:52.206 GMT: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0):No pre-shared key with 176.xxx.xxx.118! .Dec 23 03:48:52.206 GMT: ISAKMP : Scanning profiles for xauth ... .Dec 23 03:48:52.206 GMT: ISAKMP[IMG]https://us.v-cdn.net/6030959/uploads/images/smilies/icon_sad.gif[/IMG]0:0:N/A:0):Checking ISAKMP transform 0 against priority 10 policy .Dec 23 03:48:52.206 GMT: ISAKMP: life type in seconds .Dec 23 03:48:52.206 GMT: ISAKMP: life duration (basic) of 28800 .Dec 23 03:48:52.206 GMT: ISAKMP: encryption 3DES-CBC .Dec 23 03:48:52.210 GMT: ISAKMP: hash MD5 .Dec 23 03:48:52.210 GMT: ISAKMP: auth pre-share .Dec 23 03:48:52.210 GMT: ISAKMP: default group 2
Could this be a bug in the IOS or am I trying to do the impossible. Searching Cisco bug toolkit and Google is not being very helpful at the moment. Cisco is running c837-k9o3sy6-mz.124-17.bin.
Thanks,
Regards,
CCNA R&S; CCNP R&S
CCNA R&S; CCNP R&S