Loading

TSLS – Luke Smith

– Knowledge – Thoughts – Microsoft –

Entra Remote Network to Draytek 2860n Failure

October 17, 2023April 22, 2024 Luke SmithMicrosoft

This article details the configuration issues with a Draytek 2860n VPN into Microsoft Entra.

Issue

You try to connect your Draytek 2860n but receive the below error in the logs:

2023-10-17 18:36:26	[IPSEC][L2L][1:EntraVPN][@xxx.xxx.xxx.13] IKE link timeout: state linking
2023-10-17 18:36:14	## IKEv2 DBG : IKE SA #9760:STATE_IKESA_I is going to be deleted, delete its CHILD SA #9761:STATE_PARENT_I2
2023-10-17 18:36:14	## IKEv2 DBG : INFORMATIONAL : Receive IKEv2 Delete IKE SA request from xxx.xxx.xxx.13, deleting #9760
2023-10-17 18:36:14	## IKEv2 DBG : IKESA inR2 : Can’t decrypt message
2023-10-17 18:36:14	## IKEv2 DBG : Missing payload : IKEv2_NP_v2SA+0x1840
2023-10-17 18:36:14	## IKEv2 DBG : Received IKEv2 Notify [12345]
2023-10-17 18:36:14	## IKEv2 DBG : Recv IKEv2_AUTH[35] Reply msgid 1 from xxx.xxx.xxx.13, Peer is IKEv2 Responder
2023-10-17 18:36:14	## IKEv2 DBG : #9760 IKE SA Established, REPLACE after 21375 seconds
2023-10-17 18:36:14	## IKEv2 DBG : IKESA inR1_outI2 : Create CHILD SA #9761, IKE SA is #9760
2023-10-17 18:36:14	## IKEv2 DBG : NAT_T Lookup : Peer is behind NAT
2023-10-17 18:36:14	## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
2023-10-17 18:36:14	## IKEv2 DBG : IKESA inR1_outI2 : Receive Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
2023-10-17 18:36:14	## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_DESTINATION_IP[16389]
2023-10-17 18:36:14	## IKEv2 DBG : Received IKEv2 Notify IKEv2_NAT_DETECTION_SOURCE_IP[16388]
2023-10-17 18:36:14	## IKEv2 DBG : Recv IKEv2_SA_INIT[34] Reply msgid 0 from xxx.xxx.xxx.13, Peer is IKEv2 Responder
2023-10-17 18:36:13	## IKEv2 DBG : IKESA outI1 : Create IKE SA #9760 Profile Index 1
2023-10-17 18:36:13	Dialing Node1 (EntraVPN) : xxx.xxx.xxx.13
2023-10-17 18:36:13	Re-dial L2L[1], ifno: 10, status: 0 from WEB…

Reason

Reason for the failure is because the device is unable to decrypt the key. This might be because cypher suites are not be supported. – Currently working with Draytek to understand how this can be resolved.

Back To Top