- The article is a possible blog article that explains how to troubleshoot VPN connectivity issues between Draytek Vigor 2927 and Meraki devices, based on a real case.
If you are using a Draytek Vigor 2927 router at one site and a Meraki device at another site, and you have set up a LAN-to-LAN IPsec VPN tunnel between them, you may encounter some connectivity issues. For example, you may be able to ping devices on both LANs from each other, but not from a remote SSL VPN user who connects to the Draytek router. This article will explain how to diagnose and resolve this problem, based on a real case.
Table of Contents
Problem Description
The scenario is as follows:
- Site A has a Draytek Vigor 2927 router with firmware version 4.4.0.
- Site B has a Meraki device with firmware version MX 15.42.
- The two sites have established a LAN-to-LAN IPsec VPN tunnel using IKEv2 and AES encryption.
- Devices on both LANs can ping each other successfully through the VPN tunnel.
- Site A also has an SSL VPN server for remote users to access the network using the Smart VPN Client software.
- The SSL VPN server has a profile that includes the route to Site B’s LAN under the “Add More Routing” option.
- The SSL VPN profile was working fine when Site A had a Draytek Vigor 3900 router instead of the Vigor 2927.
- However, after replacing the Vigor 3900 with the Vigor 2927, the SSL VPN users can no longer ping devices on Site B’s LAN, even though they can ping devices on Site A’s LAN.
Possible Causes and Solutions
There are several possible causes and solutions for this issue, depending on the configuration and settings of both the Draytek and Meraki devices. Here are some steps to troubleshoot and fix the problem:
Step 1: Verify the LAN-to-LAN IPsec Configuration
The first step is to double-check the LAN-to-LAN IPsec configuration on both the Draytek Vigor 2927 and the Meraki device. Make sure that the settings, such as the pre-shared key, encryption methods, and phase 1/2 parameters, match exactly on both ends. Any discrepancies can lead to connectivity problems or instability.
To check the IPsec configuration on the Draytek Vigor 2927, go to VPN and Remote Access > LAN to LAN, and select the profile that corresponds to Site B. You can see the general settings, dial-out settings, dial-in settings, and advanced settings for the IPsec tunnel. Make sure they match with the settings on the Meraki device.
To check the IPsec configuration on the Meraki device, go to Security & SD-WAN > Site-to-site VPN, and select Hub or Spoke mode depending on your network topology. You can see the local networks, remote VPN peers, VPN settings, and non-Meraki VPN peers for the IPsec tunnel. Make sure they match with the settings on the Draytek Vigor 2927.
If you find any mismatch or error in the IPsec configuration, correct it and save the changes. Then, test the connectivity again from both LANs and from an SSL VPN user.
Step 2: Check the Firewall Rules and NAT Policies
The next step is to check if there are any firewall rules or NAT policies that might be blocking or interfering with the traffic between Site A and Site B. For example, there might be a firewall rule that denies ICMP packets (ping) from or to certain IP addresses or subnets. Or there might be a NAT policy that translates or masquerades the source or destination IP addresses of certain traffic.
To check the firewall rules on the Draytek Vigor 2927, go to Firewall > Filter Setup > Default Data Filter. You can see a list of rules that apply to different interfaces and directions of traffic. You can also create custom rules by clicking on Add/Edit/Delete buttons. Make sure there is no rule that denies or drops traffic from or to Site B’s LAN or from or to SSL VPN users.
To check the NAT policies on the Draytek Vigor 2927, go to NAT > Port Redirection / Open Ports / DMZ Host / Address Mapping / NAT Loopback / ALG / UPnP / NAT Sessions. You can see various options for configuring NAT policies for different types of traffic and applications. Make sure there is no policy that changes or hides the original IP addresses of traffic from or to Site B’s LAN or from or to SSL VPN users.
To check the firewall rules on the Meraki device, go to Security & SD-WAN > Firewall. You can see a list of rules that apply to different types of traffic and zones. You can also create custom rules by clicking on Add a rule button. Make sure there is no rule that denies or drops traffic from or to Site A’s LAN or from or to SSL VPN users.
To check the NAT policies on the Meraki device, go to Security & SD-WAN > Addressing & VLANs. You can see various options for configuring NAT policies for different interfaces and subnets. Make sure there is no policy that changes or hides the original IP addresses of traffic from or to Site A’s LAN or from or to SSL VPN users.
If you find any firewall rule or NAT policy that might be causing the problem, modify or delete it and save the changes. Then, test the connectivity again from both LANs and from an SSL VPN user.
Step 3: Review the SSL VPN Configuration
The final step is to review the SSL VPN configuration on the Draytek Vigor 2927 and the Smart VPN Client software. Make sure the configuration includes the necessary routes and settings to direct traffic through the VPN tunnel to Site B.
To check the SSL VPN configuration on the Draytek Vigor 2927, go to VPN and Remote Access > Remote Dial-in User. You can see a list of profiles for SSL VPN users. Select the profile that you use to connect to Site A and click Edit. You can see the general settings, dial-in settings, advanced settings, and routing table for the SSL VPN profile. Make sure the routing table includes the subnet of Site B’s LAN with a gateway of 0.0.0.0.
To check the SSL VPN configuration on the Smart VPN Client software, open the software and select the profile that you use to connect to Site A. Click Edit and go to More Routing tab. You can see a list of routes for SSL VPN connection. Make sure the list includes the subnet of Site B’s LAN with a gateway of 0.0.0.0.
If you find any missing or incorrect route in the SSL VPN configuration, add or edit it and save the changes. Then, test the connectivity again from an SSL VPN user.
Conclusion
By following these steps, you should be able to troubleshoot and resolve the VPN connectivity issue between Draytek Vigor 2927 and Meraki devices. If you still have problems, you can contact Draytek support or Meraki support for further assistance.
FAQ
Here are some frequently asked questions related to this topic:
Question: What is a LAN-to-LAN IPsec VPN tunnel?
Answer: A LAN-to-LAN IPsec VPN tunnel is a secure connection between two local area networks (LANs) over the internet using the IPsec protocol. It allows devices on both LANs to communicate with each other as if they were on the same network.
Question: What is an SSL VPN?
Answer: An SSL VPN is a secure connection between a remote user and a network using the SSL/TLS protocol. It allows the user to access network resources and applications through a web browser or a dedicated software client.
Question: What are some benefits of using Draytek Vigor 2927 router?
Answer: Draytek Vigor 2927 router is a high-performance router that supports multiple WAN connections, load balancing, failover, firewall, content filtering, bandwidth management, hotspot portal, wireless WAN, DrayDDNS, central AP management, central switch management, hardware acceleration, and more features for enterprise networks.
Question: What are some benefits of using Meraki devices?
Answer: Meraki devices are cloud-managed devices that provide easy deployment, configuration, monitoring, and troubleshooting for networks. They support security, SD-WAN, switching, wireless, smart cameras, sensors, IoT applications, and more features for various environments.
Disclaimer
This article is for informational purposes only and does not constitute professional advice. The author is not affiliated with Draytek or Meraki and does not endorse any products or services mentioned in this article. The author is not responsible for any damages or losses caused by following this article. Users should always consult with their own IT experts before making any changes to their network settings or devices.