Our main depot has migrated to an MX100 with hotspare on a BTnet leased line, however a couple of our smaller sites are remaining on their original connections without Meraki kit. Therefore I'm trying to establish a site-to-site VPN between the MX100 and a Draytek 2820Vn.
I've found and followed a guide for configuring the VPN, however it won't establish: https://the-server.ninja/2015/02/11/configuring-a-draytek-to-meraki-lan-to-lan-vpn/
Unfortunately, there are no logs on the Draytek, however the Meraki logs are:
|May 16 09:08:51||msg: phase1 negotiation failed.|
|May 16 09:08:51||msg: failed to pre-process ph1 packet (side: 1, status 1).|
|May 16 09:08:51||msg: failed to get valid proposal.|
|May 16 09:08:51||msg: no suitable proposal found.|
|May 16 09:08:47||msg: phase1 negotiation failed.|
|May 16 09:08:47||msg: failed to pre-process ph1 packet (side: 1, status 1).|
|May 16 09:08:47||msg: failed to get valid proposal.|
|May 16 09:08:47||msg: no suitable proposal found.|
|May 16 09:08:46||msg: phase1 negotiation failed due to send error. 7dd1fbe900107553:0000000000000000|
|May 16 09:08:46||msg: initiate new phase 1 negotiation: 194.xxx.xxx.xxx<=>185.xxx.xxx.xxx|
The logs reflect as if there are mismatched values of "Phase I" between devices. I hope the Phase I and Phase II settings are same at both the ends.
You may also refer to following url (if not already) to troubleshoot this further.
Thanks, they do match. However, it's not performing as expected.
The VPN is connected and I can ping things at either end by IP or name. From the Meraki end I can access server shares and remote desktop to stuff at the Draytek end. From the Draytek end I can't access server shares or remote desktop to stuff at the Meraki end.
I've checked the gateway and DNS settings and they look correct. Are you able to offer advice as to why traffic only seems to flow from Meraki to Draytek and not the other way round?
This sounds like asymmetrical routing. Are you able to view the routing table on the Draytek device to make sure it is properly receiving the routes from the MX side? Double check on your MX config that you have the correct subnets set to "Yes" for being part of the VPN.