cancel
Showing results for 
Search instead for 
Did you mean: 

Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Highlighted
Conversationalist

Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Our main depot has migrated to an MX100 with hotspare on a BTnet leased line, however a couple of our smaller sites are remaining on their original connections without Meraki kit.  Therefore I'm trying to establish a site-to-site VPN between the MX100 and a Draytek 2820Vn.

 

I've found and followed a guide for configuring the VPN, however it won't establish: https://the-server.ninja/2015/02/11/configuring-a-draytek-to-meraki-lan-to-lan-vpn/

 

Unfortunately, there are no logs on the Draytek, however the Meraki logs are:

 

May 16 09:08:51msg: phase1 negotiation failed.
May 16 09:08:51msg: failed to pre-process ph1 packet (side: 1, status 1).
May 16 09:08:51msg: failed to get valid proposal.
May 16 09:08:51msg: no suitable proposal found.
May 16 09:08:47msg: phase1 negotiation failed.
May 16 09:08:47msg: failed to pre-process ph1 packet (side: 1, status 1).
May 16 09:08:47msg: failed to get valid proposal.
May 16 09:08:47msg: no suitable proposal found.
May 16 09:08:46msg: phase1 negotiation failed due to send error. 7dd1fbe900107553:0000000000000000
May 16 09:08:46msg: initiate new phase 1 negotiation: 194.xxx.xxx.xxx[500]<=>185.xxx.xxx.xxx[500]
8 REPLIES
Getting noticed

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Hi,

 

The logs reflect as if there are mismatched values of "Phase I" between devices. I hope the Phase I and Phase II settings are same at both the ends.

 

You may also refer to following url (if not already) to troubleshoot this further.

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_P...

Cheers
Ajit
ajitslife@gmail.com
Conversationalist

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Thanks.  The phase settings matched, however I'd missed a tickbox on the Draytek Dial In settings.

Getting noticed

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Don't forget to match the lifetime values otherwise you can encounter some unexpected tunnel drops Smiley Wink

Conversationalist

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Thanks, they do match.  However, it's not performing as expected.

 

The VPN is connected and I can ping things at either end by IP or name.  From the Meraki end I can access server shares and remote desktop to stuff at the Draytek end.  From the Draytek end I can't access server shares or remote desktop to stuff at the Meraki end.

 

I've checked the gateway and DNS settings and they look correct.  Are you able to offer advice as to why traffic only seems to flow from Meraki to Draytek and not the other way round?

 

Thanks

Kind of a big deal

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

This sounds like asymmetrical routing. Are you able to view the routing table on the Draytek device to make sure it is properly receiving the routes from the MX side? Double check on your MX config that you have the correct subnets set to "Yes" for being part of the VPN. 

MRCUR | CMNO #12
Here to help

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Hello there

i have an similar issue, but between a MX64 and Checkpoint Firewall, the traffic from Clients in Meraki's side reach servers in Checkpoint side, by example, you can ping, but no from servers to clients.

 

inmeraki logs,i just get

msg: phase2 negotiation failed due to time up waiting for phase1. ESP (CheckpointIP)[0]->(MerakiIP)[0]

Getting noticed

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

WorkingDead:

Do your logs show that your Phase 1 negotiation has completed?

Iv'e seen that when either the crypto algorithm or the hashing method match at both ends for Phase One (also make sure your lifetime values match at both ends otherwise you will have annoying tunnel drops)

Here to help

Re: Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Hello!

From Checkpoint side to meraki side the phase1 was not completed, the networks, lifetime, encryption, authentication,etc. were the same, but i think some parameter was interpreted in a different way by meraki.