Link to home
Start Free TrialLog in
Avatar of systemagic
systemagicFlag for United Kingdom of Great Britain and Northern Ireland

asked on

IPSEC VPN Between Draytek 2860 and Ubiquiti EdgeMaz

I'm trying to setup a IPSEC tunnel between a Draytek 2860 and a Ubiquiti EdgeMax, I'm very familiar with Drayteks and have setup many tunels before, the EdgeMax is a new customer and I havent used these devices before but looking at the setup its fairly simple to add a IPSEC LAN to LAN.  I think its almost working, here are the logs from Draytek Syslog

1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.120.190] IKE link timeout: state linking
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x17ebe5f9
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] Initiating IKE Main Mode 
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA 
1412018-04-09 10:18:02Apr  9 10:17:51Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:03Apr  9 10:17:51Systemagic_BoALinking status:3 time out...restart VPN[10] of L2L[1].
1412018-04-09 10:18:03Apr  9 10:17:51Systemagic_BoA[L2L][DOWN][IPsec][@0:FEA]
1412018-04-09 10:18:03Apr  9 10:17:51Systemagic_BoA[IPSEC][@5.2.120.190] IKE release: state linking
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] Initiating IKE Main Mode 
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA 
1412018-04-09 10:18:05Apr  9 10:17:53Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:05Apr  9 10:17:54Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:05Apr  9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAISAKMP SA #39735 will be replaced after 21572 seconds
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x9993c5af
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] quick_outI1: match network
1412018-04-09 10:18:06Apr  9 10:17:54Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x47377cd3
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.120.190] IKE link timeout: state linking
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x80b3f6a5
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] Initiating IKE Main Mode 
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_SA, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAAccept Phase1 prorosals : ENCR OAKLEY_AES_CBC, HASH OAKLEY_SHA 
1412018-04-09 10:18:17Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_KE, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoANAT-Traversal: Using RFC 3947, no NAT detected
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_ID, Exchange Type = 0x2, Message ID = 0x0
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAISAKMP SA #39737 will be replaced after 21375 seconds
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAISAKMP SA established with 5.2.120.190. In/Out Index: 0/-1
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAStart IKE Quick Mode to 5.2.120.190
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x20, Message ID = 0x2fc5d3f9
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAClient L2L remote network setting is 172.16.32.0/20
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoA[IPSEC/IKE][L2L][1:FEA][@5.2.120.190] quick_outI1: match network
1412018-04-09 10:18:18Apr  9 10:18:06Systemagic_BoAIKE <==, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0xf3c252e0
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoA[IPSEC][L2L][1:FEA][@5.2.120.190] IKE link timeout: state linking
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoAIKE ==>, Next Payload=ISAKMP_NEXT_HASH, Exchange Type = 0x5, Message ID = 0x98bf86c1
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoADialing Node1 (FEA) : 5.2.120.190
1412018-04-09 10:18:30Apr  9 10:18:18Systemagic_BoAInitiating IKE Main Mode to 5.2.120.190
Avatar of noci
noci
Looks like the Phase 2 communication has a mismatch.
So there might be a mismatch in IP address ranges etc. (Draytec allows for overlapping ranges (overlapping with localones i mean), others not always allows this as easy.
NAT-T is enabled, so also allow for port 4500.
Is a corresponding DH setting on both sides?  (sometimes called forward secrecy/security).
You may want to obfusciate IP addresses before publishing them...
Avatar of systemagic
systemagic
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Thank for your help, I've double checked the IP settings and they should definetly be correct, heres a screenshot of some of the settings on the routers:

User generated image
The Draytek end ive tried adjusting the settings as not 100% sure what they should be:

User generated image
User generated image
ASKER CERTIFIED SOLUTION
Avatar of noci
noci
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of systemagic
systemagic
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Thanks very much the long shared secret solved it :)
Avatar of systemagic
systemagic
Flag of United Kingdom of Great Britain and Northern Ireland image

ASKER

Issue solved by entering a longer shared secret