15.44 site-to-site VPN not working

SOLVED
jay_b
Getting noticed

15.44 site-to-site VPN not working

Has anyone experienced site-to-site VPN tunnels not working in 15.44? The remote peer is AWS.  I think it looks like an issue with Remote ID. Have anyone successfully configured the site-to-site tunnel with AWS in version 15. xx?

1 ACCEPTED SOLUTION

I had similar problems despite entering the external IP address for the AWS virtual gateway in the remote ID cell. Once I changed the IKE Version from IKEv1 to IKEv2 all our non meraki peers into AWS became stable. n.b Ensure the VPN tunnel connection options in the AWS Console has the IKEv2 selection button ticked. Allow at least 10 minutes for settings to register. I hope this helps

View solution in original post

12 REPLIES 12
jay_b
Getting noticed

Also Do I have to use IKEv2 or IKEv1 should work ?

BazMonkey
Getting noticed

These notes are in the release notes for 15.44

 

  • Due to underlying changes present in MX 15, MX appliances will now strictly validate the remote ID parameter during VPN tunnel formation. If you notice issues with non-Meraki VPN tunnel connectivity after upgrading to MX 15 for the first time, please ensure the remote ID configured in the site-to-site VPN page for a given non-Meraki peer matches what is configured as the local ID on that device.

Hello, @BazMonkey  Thanks for the info. I am aware of this but the issue I am having is what should we put in the Remote ID value for AWS peer. 

 

Also should IKEv1 work or do I have to use IKEv2 ?

I had similar problems despite entering the externalIP address for the AWS virtual gateway in the remote ID cell. Once I changed the IKE Version from IKEv1 to IKEv2 all our non meraki peers into AWS became stable. n.b Ensure theVPN tunnel connection options has the IKEv2 selection button ticked. Allow at least 10 minutes for settings to register.

@melvyn-lee  Thanks for the info. Just to double check you entered same value as PUBLIC IP in REMOTE ID. Correct ? and changed it to IKEv2

@jay_b  In the Meraki site to site page

 

melvynlee_0-1637852819036.png

 

Yes the Public IP address and the Remote ID cell entry are the same and the IKE version was changed from IKEv1 to IKEv2. MX14.53 worked on IKEv1 whereas MX15.range of firmware runs on IKEv2. Make sure IKEv2 is selected at the VPN tunnel options on the AWS console as well

@melvyn-lee  That's the thing. I don't think there is option to set in AWS. When I check I only see default there and default says IKEv1 and IKEv2 but there is no option to select.

That's OK, as long as both are selected it will facilitate the format / standards selected at the Meraki end. So if IKEv1 and IKEv2 are ticked at the AWS end and IKEv2 is selected at the Meraki end then your peer connection will run on IKEv2. Note that any changes made at the AWS end take a good 5 - 10 minutes to fully register.

I had similar problems despite entering the external IP address for the AWS virtual gateway in the remote ID cell. Once I changed the IKE Version from IKEv1 to IKEv2 all our non meraki peers into AWS became stable. n.b Ensure the VPN tunnel connection options in the AWS Console has the IKEv2 selection button ticked. Allow at least 10 minutes for settings to register. I hope this helps

Can you share the tunnel VPN configuration on AWS side? Thank you

jay_b
Getting noticed

@melvyn-lee  Thanks for solution. This worked perfectly. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels