IPSEC VPN Between Draytek 2860 and Ubiquiti EdgeMaz

I'm trying to setup a IPSEC tunnel between a Draytek 2860 and a Ubiquiti EdgeMax, I'm very familiar with Drayteks and have setup many tunels before, the EdgeMax is a new customer and I havent used these devices before but looking at the setup its fairly simple to add a IPSEC LAN to LAN.  I think its almost working, here are the logs from Draytek Syslog

1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.120.190] IKE link timeout: state linking
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x17ebe5f9
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] Initiating IKE Main Mode 
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA 
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:03Apr  9 10:17:51Systemagic_BoALinking status:3 time out...restart VPN[10] of L2L[1].
1412018-04-09 10:18:03Apr  9 10:17:51Systemagic_BoA[L2L][DOWN][IPsec][@0:FEA]
1412018-04-09 10:18:03Apr  9 10:17:51Systemagic_BoA[IPSEC][@5.2.120.190] IKE release: state linking
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] Initiating IKE Main Mode 
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA 
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:54Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:05Apr  9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAISAKMP SA #39735 will be replaced after 21572 seconds
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9993c5af
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] quick_outI1: match network
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x47377cd3
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.120.190] IKE link timeout: state linking
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x80b3f6a5
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] Initiating IKE Main Mode 
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA 
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAISAKMP SA #39737 will be replaced after 21375 seconds
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2fc5d3f9
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] quick_outI1: match network
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xf3c252e0
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.120.190] IKE link timeout: state linking
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x98bf86c1
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
LVL 1
systemagicAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
Looks like the Phase 2 communication has a mismatch.
So there might be a mismatch in IP address ranges etc. (Draytec allows for overlapping ranges (overlapping with localones i mean), others not always allows this as easy.
NAT-T is enabled, so also allow for port 4500.
Is a corresponding DH setting on both sides?  (sometimes called forward secrecy/security).
You may want to obfusciate IP addresses before publishing them...
systemagicAuthor Commented:
Thank for your help, I've double checked the IP settings and they should definetly be correct, heres a screenshot of some of the settings on the routers:

EdgeMax
The Draytek end ive tried adjusting the settings as not 100% sure what they should be:

Draytek1
Draytek 2
nociSoftware EngineerCommented:
When you have a choice between Perforect Forward Secret Yes/No .... mostly it only allows for DH2.  
(draytec is a little different, later read the G14..; And it would fail in Mainmode then.)

You may need a longer Shared Secret... make it >20 character or so.
Use a tool like pwgen to generate one. (no easy to remember short passwords please).

Negotiation between various routers sometimes fails... try to stick to one method,
f.e. sha256.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
systemagicAuthor Commented:
Thanks very much the long shared secret solved it :)
systemagicAuthor Commented:
Issue solved by entering a longer shared secret
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.