We have already verified that we are matching Phase1/2 settings, but we can't get the VPN to work. Here's the error message- from Wireshark, it looks like it's stuck in CREATE_CHILD_SA.
We're using IKEv2 and I think that's the culprit, but we can't use V1 since we're not allowed.
Solved! Go to solution.
You have more than one IP network on either side of the VPN? Only the first will establish: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2
Perhaps this is the problem here.
What events are you seeing in the Meraki Event Log?
Curiously no errors, it's saying peer connection is established. We just can't pass traffic.
Do you see traffic coming from the Firepower to the Meraki, but nothing coming from the Meraki to the Firepower?
Nope, no traffic from Firepower since Phase2 can't establish.
Take a look at this.
Thanks, I think I've seen this earlier. It's using IKEv1 which we can't do.
Anyone able to use IKEv2 with Firepower? I'm guessing that's our problem, we can't make IKEv2 work.
IKEv1 and IKEv2 should work the same. Make sure you have filled in the Peer ID on the Meraki side correctly.
You have more than one IP network on either side of the VPN? Only the first will establish: https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#NOTE_For_IKEv2
Perhaps this is the problem here.
Do you mean the inside subnets? We do have several behind the VPN firewalls.
Also if this will make sense, I tried using the MX's WAN1 and the VPN works. But if you fail-over to WAN2, it will not anymore. Is this the IKEv2 limitation mentioned on that article?
If you failover to WAN2, then the your Local Public IP changes, in relation to what is configured on the Firepower. So that makes perfectly sense. The Firepower creates a tunnel to WAN1 IP address, if the MX IP changes to that of WAN2, that Firepower can no longer reach its Peer.