This article details the configuration issues with a Draytek 2860n VPN into Microsoft Entra.
Issue
You try to connect your Draytek 2860n but receive the below error in the logs:
| 2023-10-17 18:36:26 | [IPSEC][L2L][1:EntraVPN][@xxx.xxx.xxx.13] IKE link timeout: state linking |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : IKE SA #9760:STATE_IKESA_I is going to be deleted, delete its CHILD SA #9761:STATE_PARENT_I2 |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : INFORMATIONAL : Receive IKEv2 Delete IKE SA request from xxx.xxx.xxx.13, deleting #9760 |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : IKESA inR2 : Can’t decrypt message |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : Missing payload : IKEv2_NP_v2SA+0x1840 |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : Received IKEv2 Notify [12345] |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply msgid 1 from xxx.xxx.xxx.13, Peer is IKEv2 Responder |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : #9760 IKE SA Established, REPLACE after 21375 seconds |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : IKESA inR1_outI2 : Create CHILD SA #9761, IKE SA is #9760 |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : NAT_T Lookup : Peer is behind NAT |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389] |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388] |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389] |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388] |
| 2023-10-17 18:36:14 | ## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Reply msgid 0 from xxx.xxx.xxx.13, Peer is IKEv2 Responder |
| 2023-10-17 18:36:13 | ## IKEv2 DBG : IKESA outI1 : Create IKE SA #9760 Profile Index 1 |
| 2023-10-17 18:36:13 | Dialing Node1 (EntraVPN) : xxx.xxx.xxx.13 |
| 2023-10-17 18:36:13 | Re-dial L2L[1], ifno: 10, status: 0 from WEB… |
Reason
Reason for the failure is because the device is unable to decrypt the key. This might be because cypher suites are not be supported. – Currently working with Draytek to understand how this can be resolved.