Our main depot has migrated to an MX100 with hotspare on a BTnet leased line, however a couple of our smaller sites are remaining on their original connections without Meraki kit. Therefore I'm trying to establish a site-to-site VPN between the MX100 and a Draytek 2820Vn.
I've found and followed a guide for configuring the VPN, however it won't establish: https://the-server.ninja/2015/02/11/configuring-a-draytek-to-meraki-lan-to-lan-vpn/
Unfortunately, there are no logs on the Draytek, however the Meraki logs are:
|May 16 09:08:51||msg: phase1 negotiation failed.|
|May 16 09:08:51||msg: failed to pre-process ph1 packet (side: 1, status 1).|
|May 16 09:08:51||msg: failed to get valid proposal.|
|May 16 09:08:51||msg: no suitable proposal found.|
|May 16 09:08:47||msg: phase1 negotiation failed.|
|May 16 09:08:47||msg: failed to pre-process ph1 packet (side: 1, status 1).|
|May 16 09:08:47||msg: failed to get valid proposal.|
|May 16 09:08:47||msg: no suitable proposal found.|
|May 16 09:08:46||msg: phase1 negotiation failed due to send error. 7dd1fbe900107553:0000000000000000|
|May 16 09:08:46||msg: initiate new phase 1 negotiation: 194.xxx.xxx.xxx<=>185.xxx.xxx.xxx|
The logs reflect as if there are mismatched values of "Phase I" between devices. I hope the Phase I and Phase II settings are same at both the ends.
You may also refer to following url (if not already) to troubleshoot this further.
Thanks. The phase settings matched, however I'd missed a tickbox on the Draytek Dial In settings.
Don't forget to match the lifetime values otherwise you can encounter some unexpected tunnel drops
Thanks, they do match. However, it's not performing as expected.
The VPN is connected and I can ping things at either end by IP or name. From the Meraki end I can access server shares and remote desktop to stuff at the Draytek end. From the Draytek end I can't access server shares or remote desktop to stuff at the Meraki end.
I've checked the gateway and DNS settings and they look correct. Are you able to offer advice as to why traffic only seems to flow from Meraki to Draytek and not the other way round?
This sounds like asymmetrical routing. Are you able to view the routing table on the Draytek device to make sure it is properly receiving the routes from the MX side? Double check on your MX config that you have the correct subnets set to "Yes" for being part of the VPN.
i have an similar issue, but between a MX64 and Checkpoint Firewall, the traffic from Clients in Meraki's side reach servers in Checkpoint side, by example, you can ping, but no from servers to clients.
inmeraki logs,i just get
msg: phase2 negotiation failed due to time up waiting for phase1. ESP (CheckpointIP)->(MerakiIP)
Do your logs show that your Phase 1 negotiation has completed?
Iv'e seen that when either the crypto algorithm or the hashing method match at both ends for Phase One (also make sure your lifetime values match at both ends otherwise you will have annoying tunnel drops)
From Checkpoint side to meraki side the phase1 was not completed, the networks, lifetime, encryption, authentication,etc. were the same, but i think some parameter was interpreted in a different way by meraki.