Configuring a Draytek to Meraki LAN to LAN VPN

If your job is anything like mine, you’ll find yourself working with various different technologies, from various different manufacturers.

A few days ago I was tasked with setting up a LAN to LAN VPN for a customer’s new premises.  Interestingly the customer had chosen to install a completely different manufacturers product compared to their existing equipment:  Meraki MX60 in their new site, and an old Draytek 2820 in their existing site.

As getting a LAN to LAN VPN running between two different pieces of kit can throw up some headaches, I thought I would detail the required steps to make this work.

Before we begin, update the firmware on the Draytek router (backup the config first, make sure you use the .all file – the .rst file resets the device to factory settings).

Head over to the Meraki Cloud and make sure that your MX appliance has the latest firmware installed.

meraki update

Now, lets go get our VPN configured!

Draytek (2820)

Log in to your Draytek’s web interface.

Select VPN and Remote Access

Select LAN to LAN

1. Common Settings:

Create a new profile, name it and enable it. Also make sure your dialling out via the correct wan port (ie, WAN1 would be for ADSL, WAN2 would be for Infinity, EFM etc).

Tick the Always on box.  This will ensure that the VPN doesn’t time out, and that the Draytek initiates the tunnel out (something the Meraki doesn’t seem to do).

draytek to meraki vpn

2Dial-Out Settings

Select IPSec Tunnel

Enter the remote sites external ip address

Enter a secure IKE Preshared key (you’ll need to enter this into the Meraki Settings also)

Select High ESP (AES with Authentication)


Select the Advanced button

Select Main Mode

Select IKE phase 1 as 3DES_SHA1_G2

Select IKE phase 2 as AES256_Sha1

IKE P1 lifetime is 28800

IKE P2 lifetime is 3600  (you’ll need to change this to match on the Meraki)

Make sure Perfect Forward Secret is disabled.


3. Dial-In Settings

Tick IP Sec Tunnel only

Specify the remote gateway ip

Enter the PSK as before

Make sure at least 3DES and AES are ticked (I’ve tested ok with both Medium and DES unticked).


 4. TCP/IP Network Settings

Enter the local IP of the remote gateway

Enter the local subnet range of the remote gateway  – also check the subnet mask.


Next, time to configure the Meraki.

Meraki MX60 / W

Log into the Meraki Cloud.

From the top of the screen, select the network where your MX device is located.

(If you’re an MSP, you’ll need to select the correct Organisation first, then select the correct Network).


From the left hand side, under the configure option, select Site-to-site VPN

In the middle pane,  use the following settings:

      • Mode: Split tunnel (only the site to site traffic will flow over the VPN)
      • Topology: Connect directly to all VPN Peers
      • Local Networks – confirm the subnet is correct. Select use VPN
      • Under organization-wide settings,  in the section titled non-meraki vpn peers, select Add a Peer
      • Enter a descriptive name
      • Enter the remote public ip address (of the Draytek)
      • Any private subnets on that network and their subnet mask (ie

Most likely your subnet mask will be  which should be written as /24)

      • Enter the same pre-shared key as you used in the Draytek config


Select IPsec policies (this will say default on your screen)

Check through the options and make sure that they match – the only one you should need to change is the Phase 2 lifetime – make sure this is set as 3600

You can also see I have selected in the Availability field, Test.  This is to make sure any configuration changes don’t affect any other live Meraki’s in that organisation.  It’s unlikely you’ll ever need this, but if you do, go to organization, overview. Select networks and expand out. Tick your network and select tag.  Give the tag a name. This will then be selectable in the above availability field.


The VPN should bring itself up after about 60 seconds.  If not, you can manually control this in the Draytek’s web interface. (VPN and Remote Access, Connection Management).


The Meraki doesn’t show the status of, or allow you to force a VPN connection out to the Draytek device (only Meraki to Meraki VPN status will be visible – would be view-able within the Meraki cloud, under Monitor, VPN Status).

However,  you can see the details logs of VPN activity by navigating to Monitor, Event Log.  If successful, this will show events such as: msg: IPsec-SA established: ESP/Tunnel (draytekip[500]> meraki ip[500] spi=**********(0x******)

You can easily monitor the VPN status from the Draytek interface.

Draytek Support:

Meraki Support:

2 thoughts on “Configuring a Draytek to Meraki LAN to LAN VPN

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s