systemagic
asked on
IPSEC VPN Between Draytek 2860 and Ubiquiti EdgeMaz
I'm trying to setup a IPSEC tunnel between a Draytek 2860 and a Ubiquiti EdgeMax, I'm very familiar with Drayteks and have setup many tunels before, the EdgeMax is a new customer and I havent used these devices before but looking at the setup its fairly simple to add a IPSEC LAN to LAN. I think its almost working, here are the logs from Draytek Syslog
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.1 20.190] IKE link timeout: state linking
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x17ebe5f9
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5 .2.120.190 ] Initiating IKE Main Mode
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:03Apr 9 10:17:51Systemagic_BoALinking status:3 time out...restart VPN[10] of L2L[1].
1412018-04-09 10:18:03Apr 9 10:17:51Systemagic_BoA[L2L][DOWN][IPsec][@0:FEA]
1412018-04-09 10:18:03Apr 9 10:17:51Systemagic_BoA[IPSEC][@5.2.120.190] IKE release: state linking
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5 .2.120.190 ] Initiating IKE Main Mode
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:54Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:05Apr 9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAISAKMP SA #39735 will be replaced after 21572 seconds
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9993c5af
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5 .2.120.190 ] quick_outI1: match network
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x47377cd3
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.1 20.190] IKE link timeout: state linking
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x80b3f6a5
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5 .2.120.190 ] Initiating IKE Main Mode
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAISAKMP SA #39737 will be replaced after 21375 seconds
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2fc5d3f9
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5 .2.120.190 ] quick_outI1: match network
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xf3c252e0
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.1 20.190] IKE link timeout: state linking
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x98bf86c1
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.1
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x17ebe5f9
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
1412018-04-09 10:18:02Apr 9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:03Apr 9 10:17:51Systemagic_BoALinking status:3 time out...restart VPN[10] of L2L[1].
1412018-04-09 10:18:03Apr 9 10:17:51Systemagic_BoA[L2L][DOWN][IPsec][@0:FEA]
1412018-04-09 10:18:03Apr 9 10:17:51Systemagic_BoA[IPSEC][@5.2.120.190] IKE release: state linking
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
1412018-04-09 10:18:05Apr 9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr 9 10:17:54Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:05Apr 9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAISAKMP SA #39735 will be replaced after 21572 seconds
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9993c5af
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5
1412018-04-09 10:18:06Apr 9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x47377cd3
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.1
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x80b3f6a5
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA
1412018-04-09 10:18:17Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAISAKMP SA #39737 will be replaced after 21375 seconds
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2fc5d3f9
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5
1412018-04-09 10:18:18Apr 9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xf3c252e0
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.1
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x98bf86c1
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:30Apr 9 10:18:18Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks very much the long shared secret solved it :)
ASKER
Issue solved by entering a longer shared secret
So there might be a mismatch in IP address ranges etc. (Draytec allows for overlapping ranges (overlapping with localones i mean), others not always allows this as easy.
NAT-T is enabled, so also allow for port 4500.
Is a corresponding DH setting on both sides? (sometimes called forward secrecy/security).
You may want to obfusciate IP addresses before publishing them...