> configured the Cisco router and the office Vigor in line with the   
   Help me out here "Vigor"??   
      
   > guide on the draytek site but the vpn will not establish. Syslog on   
   > the draytek says ISAKMP SA Established but then will not go any   
   > further than Start IKE Quick Mode.   
      
   OK let me see If I got this right, you are running a VPN client inside your   
   firewall and you use NAT (really dynamic PAT). I do the same thing with my   
   2600 FW/3DES IOS. When I first set this up a Cisco support person (it was   
   escalated to a CCIE) actually told me it couldn't be done (this was before   
   NAT-T support). In simple form what I had to do was have 2 dynamic address   
   translations, one (TABLE-1) was the traditional with "overload" doing Port   
   Address Translation, the other (TABLE-2) was a one-to-one address   
   translation (with a fairly short time-out).   
      
   TABLE-1 uses a single public address and the ACL will not permit any VPN   
   traffic.   
   TABLE-2 uses a number of public addresses and the ACL will only allow VPN   
   traffic (based on port).   
      
   Functionally what happens is that when a workstation starts a VPN client it   
   is issued a public IP address (not just port translation). One part I like   
   is that internet traffic from the same workstation will still use the other   
   (overloaded) address, and I can uses a very small number of public addresses   
   for a very large organization provided the number of concurrent VPN users   
   does not exceed the number of reserved addresses.   
      
   This is where someone says "nope you got it wrong, this isn't what he is   
   doing"   
      
   > This is driving me mad, I am a CCNA but a little loose on the Cisco   
   > VPN config commands. Any help will be really appreciated.   
   Not putting you down, just a comment on certifications.   
   I'm not a CCNA, at one point I had a huge list of letters after my name most   
   expired or just became outdated. Now I don't take the certifications all   
   that seriously (we call them paper CNEs), I know any time I want I can read   
   a book and get all those letters back and more. I'd rather hear that someone   
   has been playing with routers and switches and show me some workable   
   solutions then tell me they have a CCNA/MCSE etc. and got them by going to a   
   class.   
      
   Anyway, Good luck.   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)