Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cannot establish VPN to non-Meraki peer (Firepower)

Solved
Marc_Abaya
Getting noticed
a week ago
a week ago

Cannot establish VPN to non-Meraki peer (Firepower)

We have already verified that we are matching Phase1/2 settings, but we can't get the VPN to work. Here's the error message- from Wireshark, it looks like it's stuck in CREATE_CHILD_SA. 

 

We're using IKEv2 and I think that's the culprit, but we can't use V1 since we're not allowed.

 

 

temp.png

0 Kudos
Subscribe
1 Accepted Solution
KarstenI
Kind of a big deal
Kind of a big deal
a week ago
a week ago

You have more than one IP network on either side of the VPN? Only the first will establish: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2

Perhaps this is the problem here.

View solution in original post

Subscribe
10 Replies 10
rhbirkelund
Kind of a big deal
a week ago
a week ago

What events are you seeing in the Meraki Event Log?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
In response to rhbirkelund
Marc_Abaya
Getting noticed
a week ago
a week ago

Curiously no errors, it's saying peer connection is established. We just can't pass traffic.

0 Kudos
Subscribe
In response to Marc_Abaya
rhbirkelund
Kind of a big deal
a week ago
a week ago

Do you see traffic coming from the Firepower to the Meraki, but nothing coming from the Meraki to the Firepower?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
In response to rhbirkelund
Marc_Abaya
Getting noticed
a week ago
a week ago

Nope, no traffic from Firepower since Phase2 can't establish.

0 Kudos
Subscribe
alemabrahao
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Take a look at this.

 

https://community.cisco.com/t5/security-knowledge-base/how-to-configure-a-site-to-site-vpn-between-f...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
Marc_Abaya
Getting noticed
a week ago
a week ago

Thanks, I think I've seen this earlier. It's using IKEv1 which we can't do. 

 

Anyone able to use IKEv2 with Firepower? I'm guessing that's our problem, we can't make IKEv2 work.

0 Kudos
Subscribe
In response to Marc_Abaya
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

IKEv1 and IKEv2 should work the same.  Make sure you have filled in the Peer ID on the Meraki side correctly.

0 Kudos
Subscribe
KarstenI
Kind of a big deal
Kind of a big deal
a week ago
a week ago

You have more than one IP network on either side of the VPN? Only the first will establish: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2

Perhaps this is the problem here.

Subscribe
In response to KarstenI
Marc_Abaya
Getting noticed
a week ago
a week ago

Do you mean the inside subnets? We do have several behind the VPN firewalls.

 

Also if this will make sense, I tried using the MX's WAN1 and the VPN works. But if you fail-over to WAN2, it will not anymore. Is this the IKEv2 limitation mentioned on that article?

0 Kudos
Subscribe
In response to Marc_Abaya
rhbirkelund
Kind of a big deal
Monday
Monday

If you failover to WAN2, then the your Local Public IP changes, in relation to what is configured on the Firepower. So that makes perfectly sense. The Firepower creates a tunnel to WAN1 IP address, if the MX IP changes to that of WAN2, that Firepower can no longer reach its Peer.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.