Firmware 15.42.1 problem in non meraki vpn peers (MX67)

SOLVED
endrianusgohan
Here to help

Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hi, 

 

I'm having issue with non-meraki vpn peers connection after I upgrade to 15.42.1 from 14.53. 

I was insisted to rollback the firmware after the upgrade. Just want to confirm is that really the problem ? I'm using ikev1 by the way. 

 

or in this new firmware I need to use ikev2 ? 

 

Please suggestion. Thanks. 

1 ACCEPTED SOLUTION

Accepted Solutions
endrianusgohan
Here to help

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hi Bruce, 

 

It works now by entering the IP Private of the remote peers. 

 

Thanks for the help.

View solution in original post

10 REPLIES 10
PhilipDAth
Kind of a big deal

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

You haven't provided enough information to help.

 

You can use IKEv1 or IKEv2.  Both work.

endrianusgohan
Here to help

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hi Philip, 

 

Here is the details.

 

Headquarters

Cisco Meraki MX67

IKEv version : IKEv1

IP Sec Policies : AWS 

Phase 1 Encryption : AES 128

Phase 1 Authentication : SHA1

Phase 1 DF Group : 2

Phase 1 LIfetime : 28800

Phase 2 Encryption : AES 128

Phase 2 Authentication : SHA1

Phase 2 PFS Group : 2

Phase 2 Lifetime : 3600

Pre-shared key : used 

 

Branch 

Grandstream GWN7000

IKEv version : IKEv1

Phase 1 IKE Lifetime : 28800

Phase 1 Key Exchange mode : Main

Phase 1 Pre-Shared key : used

Phase 1 Encryption Algorithm : AES_CBC_128

Phase 1 Hash Algorithm : SHA1

Phase 1 DH Group : MODP1024

Phase 2 Encryption Algorithm : AES_CBC_128

Phase 2 Hash Algorithm : SHA1

Phase 2 PFS Group : MODP1024

PhilipDAth
Kind of a big deal

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

What is the actual issue?  VPN builds and fails, VPN never works, etc?

 

What do the logs on both ends say?

endrianusgohan
Here to help

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

In Cisco Meraki, I got this log attached below. 

endrianusgohan_0-1620549114225.png

 

For Grandstream GWN7000, I got this log attached below. 

endrianusgohan_1-1620549387692.png

 

At the HQ side, it keeps deleting SA key. At the branch side, it keeps reconnecting and won't authorized. I suspicious that it has something to do with meraki settings. It works if I downgrade the meraki firmware to 14.53. After I upgrade, suddenly it won't connect. 

Bruce
Kind of a big deal

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Did you see this in the MX15 release notes?

3768E55E-D09F-463B-802B-F929BA721874.jpeg

endrianusgohan
Here to help

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hi Bruce, 

 

I've just noticed it. Thank you for the help. 

But what value do I need to fill in the remote ID field, because there is no local ID in the grandstream device. I've try to enter the Public IP and FQDN value but still won't work. 

 

Any idea ? 

Bruce
Kind of a big deal

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

It’s hard to say if the Grandstream doesn’t have a specific Local ID parameter. It could use its hostname, it’s IP address (the public one, or the private one), or some other parameter that you configure on the device. Have a look at the ‘non-Meraki VPN peers’ section of this document for some suggestions, https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings 

endrianusgohan
Here to help

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hi Bruce, 

 

It works now by entering the IP Private of the remote peers. 

 

Thanks for the help.

View solution in original post

RB___
Here to help

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hey @endrianusgohan! I seem to be experiencing the same issue as you did, but haven't gotten mine to work. Could you provide me with the exact Remote ID config that you used on the MX? For example in my case the peer has public IP 207.16.X.X, and only a single LAN with the peer being 10.1.1.1 (10.1.1.0/24 being the remote subnet I am trying to reach). So in my case would I configure 10.1.1.1 as the Remote ID on the Meraki? Any clarity you can provide would be greatly appreciated!

 

endrianusgohan
Here to help

Re: Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hi @RB___ , 

 

I use the private IP of the ONT Modem from the ISP of the remote non-meraki router. 

 

If your IP is behind the NAT, you can use that Private IP Address as your remote ID. 

 

You should try. Hope it works for you too. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.