If your job is anything like mine, you’ll find yourself working with various different technologies, from various different manufacturers.
A few days ago I was tasked with setting up a LAN to LAN VPN for a customer’s new premises. Interestingly the customer had chosen to install a completely different manufacturers product compared to their existing equipment: Meraki MX60 in their new site, and an old Draytek 2820 in their existing site.
As getting a LAN to LAN VPN running between two different pieces of kit can throw up some headaches, I thought I would detail the required steps to make this work.
Before we begin, update the firmware on the Draytek router (backup the config first, make sure you use the .all file – the .rst file resets the device to factory settings).
Head over to the Meraki Cloud and make sure that your MX appliance has the latest firmware installed.
Now, lets go get our VPN configured!
Log in to your Draytek’s web interface.
Select VPN and Remote Access
Select LAN to LAN
1. Common Settings:
Create a new profile, name it and enable it. Also make sure your dialling out via the correct wan port (ie, WAN1 would be for ADSL, WAN2 would be for Infinity, EFM etc).
Tick the Always on box. This will ensure that the VPN doesn’t time out, and that the Draytek initiates the tunnel out (something the Meraki doesn’t seem to do).
2. Dial-Out Settings
Select IPSec Tunnel
Enter the remote sites external ip address
Enter a secure IKE Preshared key (you’ll need to enter this into the Meraki Settings also)
Select High ESP (AES with Authentication)
Select the Advanced button
Select Main Mode
Select IKE phase 1 as 3DES_SHA1_G2
Select IKE phase 2 as AES256_Sha1
IKE P1 lifetime is 28800
IKE P2 lifetime is 3600 (you’ll need to change this to match on the Meraki)
Make sure Perfect Forward Secret is disabled.
3. Dial-In Settings
Tick IP Sec Tunnel only
Specify the remote gateway ip
Enter the PSK as before
Make sure at least 3DES and AES are ticked (I’ve tested ok with both Medium and DES unticked).
4. TCP/IP Network Settings
Enter the local IP of the remote gateway
Enter the local subnet range of the remote gateway – also check the subnet mask.
Next, time to configure the Meraki.
Meraki MX60 / W
Log into the Meraki Cloud.
From the top of the screen, select the network where your MX device is located.
(If you’re an MSP, you’ll need to select the correct Organisation first, then select the correct Network).
From the left hand side, under the configure option, select Site-to-site VPN
In the middle pane, use the following settings:
- Mode: Split tunnel (only the site to site traffic will flow over the VPN)
- Topology: Connect directly to all VPN Peers
- Local Networks – confirm the subnet is correct. Select use VPN
- Under organization-wide settings, in the section titled non-meraki vpn peers, select Add a Peer
- Enter a descriptive name
- Enter the remote public ip address (of the Draytek)
- Any private subnets on that network and their subnet mask (ie 192.168.1.0/24)
Most likely your subnet mask will be 255.255.255.0 which should be written as /24)
- Enter the same pre-shared key as you used in the Draytek config
Select IPsec policies (this will say default on your screen)
Check through the options and make sure that they match – the only one you should need to change is the Phase 2 lifetime – make sure this is set as 3600
You can also see I have selected in the Availability field, Test. This is to make sure any configuration changes don’t affect any other live Meraki’s in that organisation. It’s unlikely you’ll ever need this, but if you do, go to organization, overview. Select networks and expand out. Tick your network and select tag. Give the tag a name. This will then be selectable in the above availability field.
The VPN should bring itself up after about 60 seconds. If not, you can manually control this in the Draytek’s web interface. (VPN and Remote Access, Connection Management).
The Meraki doesn’t show the status of, or allow you to force a VPN connection out to the Draytek device (only Meraki to Meraki VPN status will be visible – would be view-able within the Meraki cloud, under Monitor, VPN Status).
However, you can see the details logs of VPN activity by navigating to Monitor, Event Log. If successful, this will show events such as: msg: IPsec-SA established: ESP/Tunnel (draytekip> meraki ip spi=**********(0x******)
You can easily monitor the VPN status from the Draytek interface.
Draytek Support: http://www.draytek.co.uk/support
Meraki Support: https://meraki.cisco.com/support