Meraki

Marc_Abaya · ‎Jul 5 2024

We have already verified that we are matching Phase1/2 settings, but we can't get the VPN to work. Here's the error message- from Wireshark, it looks like it's stuck in CREATE_CHILD_SA.

We're using IKEv2 and I think that's the culprit, but we can't use V1 since we're not allowed.

KarstenI · ‎Jul 5 2024

You have more than one IP network on either side of the VPN? Only the first will establish: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2

Perhaps this is the problem here.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

rhbirkelund · ‎Jul 5 2024

What events are you seeing in the Meraki Event Log?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Marc_Abaya · ‎Jul 5 2024

Curiously no errors, it's saying peer connection is established. We just can't pass traffic.

rhbirkelund · ‎Jul 5 2024

Do you see traffic coming from the Firepower to the Meraki, but nothing coming from the Meraki to the Firepower?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Marc_Abaya · ‎Jul 5 2024

Nope, no traffic from Firepower since Phase2 can't establish.

alemabrahao · ‎Jul 5 2024

Take a look at this.

https://community.cisco.com/t5/security-knowledge-base/how-to-configure-a-site-to-site-vpn-between-f...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Marc_Abaya · ‎Jul 5 2024

Thanks, I think I've seen this earlier. It's using IKEv1 which we can't do.

Anyone able to use IKEv2 with Firepower? I'm guessing that's our problem, we can't make IKEv2 work.

PhilipDAth · ‎Jul 8 2024

IKEv1 and IKEv2 should work the same. Make sure you have filled in the Peer ID on the Meraki side correctly.

KarstenI · ‎Jul 5 2024

You have more than one IP network on either side of the VPN? Only the first will establish: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2

Perhaps this is the problem here.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Marc_Abaya · ‎Jul 8 2024

Do you mean the inside subnets? We do have several behind the VPN firewalls.

Also if this will make sense, I tried using the MX's WAN1 and the VPN works. But if you fail-over to WAN2, it will not anymore. Is this the IKEv2 limitation mentioned on that article?

rhbirkelund · ‎Jul 8 2024

If you failover to WAN2, then the your Local Public IP changes, in relation to what is configured on the Firepower. So that makes perfectly sense. The Firepower creates a tunnel to WAN1 IP address, if the MX IP changes to that of WAN2, that Firepower can no longer reach its Peer.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Meraki

Community

Cannot establish VPN to non-Meraki peer (Firepower)

Cannot establish VPN to non-Meraki peer (Firepower)