Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

olly
Conversationalist

Creating a Site-to-Site VPN between MX100 and a Draytek 2820Vn

Our main depot has migrated to an MX100 with hotspare on a BTnet leased line, however a couple of our smaller sites are remaining on their original connections without Meraki kit.  Therefore I'm trying to establish a site-to-site VPN between the MX100 and a Draytek 2820Vn.

 

I've found and followed a guide for configuring the VPN, however it won't establish: https://the-server.ninja/2015/02/11/configuring-a-draytek-to-meraki-lan-to-lan-vpn/

 

Unfortunately, there are no logs on the Draytek, however the Meraki logs are:

 

May 16 09:08:51msg: phase1 negotiation failed.
May 16 09:08:51msg: failed to pre-process ph1 packet (side: 1, status 1).
May 16 09:08:51msg: failed to get valid proposal.
May 16 09:08:51msg: no suitable proposal found.
May 16 09:08:47msg: phase1 negotiation failed.
May 16 09:08:47msg: failed to pre-process ph1 packet (side: 1, status 1).
May 16 09:08:47msg: failed to get valid proposal.
May 16 09:08:47msg: no suitable proposal found.
May 16 09:08:46msg: phase1 negotiation failed due to send error. 7dd1fbe900107553:0000000000000000
May 16 09:08:46msg: initiate new phase 1 negotiation: 194.xxx.xxx.xxx[500]<=>185.xxx.xxx.xxx[500]
Olly
8 Replies 8
AjitKumar
Head in the Cloud

Hi,

 

The logs reflect as if there are mismatched values of "Phase I" between devices. I hope the Phase I and Phase II settings are same at both the ends.

 

You may also refer to following url (if not already) to troubleshoot this further.

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_P...

Regards,
Ajit
AjitsNW@gmail.com
www.ajit.network
olly
Conversationalist

Thanks.  The phase settings matched, however I'd missed a tickbox on the Draytek Dial In settings.

Olly
cta102
Building a reputation

Don't forget to match the lifetime values otherwise you can encounter some unexpected tunnel drops 😉

olly
Conversationalist

Thanks, they do match.  However, it's not performing as expected.

 

The VPN is connected and I can ping things at either end by IP or name.  From the Meraki end I can access server shares and remote desktop to stuff at the Draytek end.  From the Draytek end I can't access server shares or remote desktop to stuff at the Meraki end.

 

I've checked the gateway and DNS settings and they look correct.  Are you able to offer advice as to why traffic only seems to flow from Meraki to Draytek and not the other way round?

 

Thanks

Olly
MRCUR
Kind of a big deal

This sounds like asymmetrical routing. Are you able to view the routing table on the Draytek device to make sure it is properly receiving the routes from the MX side? Double check on your MX config that you have the correct subnets set to "Yes" for being part of the VPN. 

MRCUR | CMNO #12
WorkingDead
Here to help

Hello there

i have an similar issue, but between a MX64 and Checkpoint Firewall, the traffic from Clients in Meraki's side reach servers in Checkpoint side, by example, you can ping, but no from servers to clients.

 

inmeraki logs,i just get

msg: phase2 negotiation failed due to time up waiting for phase1. ESP (CheckpointIP)[0]->(MerakiIP)[0]

cta102
Building a reputation

WorkingDead:

Do your logs show that your Phase 1 negotiation has completed?

Iv'e seen that when either the crypto algorithm or the hashing method match at both ends for Phase One (also make sure your lifetime values match at both ends otherwise you will have annoying tunnel drops)

WorkingDead
Here to help

Hello!

From Checkpoint side to meraki side the phase1 was not completed, the networks, lifetime, encryption, authentication,etc. were the same, but i think some parameter was interpreted in a different way by meraki.

 

Get notified when there are additional replies to this discussion.