Meraki

Community

Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Solved
endrianusgohan
Getting noticed
‎May 7 2021 5:48 AM
‎May 7 2021 5:48 AM

Firmware 15.42.1 problem in non meraki vpn peers (MX67)

Hi, 

 

I'm having issue with non-meraki vpn peers connection after I upgrade to 15.42.1 from 14.53. 

I was insisted to rollback the firmware after the upgrade. Just want to confirm is that really the problem ? I'm using ikev1 by the way. 

 

or in this new firmware I need to use ikev2 ? 

 

Please suggestion. Thanks. 

0 Kudos
1 Accepted Solution
In response to Bruce
endrianusgohan
Getting noticed
‎May 9 2021 4:15 AM
‎May 9 2021 4:15 AM

Hi Bruce, 

 

It works now by entering the IP Private of the remote peers. 

 

Thanks for the help.

View solution in original post

16 Replies 16
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 9 2021 12:42 AM
‎May 9 2021 12:42 AM

You haven't provided enough information to help.

 

You can use IKEv1 or IKEv2.  Both work.

0 Kudos
In response to PhilipDAth
endrianusgohan
Getting noticed
‎May 9 2021 1:09 AM
‎May 9 2021 1:09 AM

Hi Philip, 

 

Here is the details.

 

Headquarters

Cisco Meraki MX67

IKEv version : IKEv1

IP Sec Policies : AWS 

Phase 1 Encryption : AES 128

Phase 1 Authentication : SHA1

Phase 1 DF Group : 2

Phase 1 LIfetime : 28800

Phase 2 Encryption : AES 128

Phase 2 Authentication : SHA1

Phase 2 PFS Group : 2

Phase 2 Lifetime : 3600

Pre-shared key : used 

 

Branch 

Grandstream GWN7000

IKEv version : IKEv1

Phase 1 IKE Lifetime : 28800

Phase 1 Key Exchange mode : Main

Phase 1 Pre-Shared key : used

Phase 1 Encryption Algorithm : AES_CBC_128

Phase 1 Hash Algorithm : SHA1

Phase 1 DH Group : MODP1024

Phase 2 Encryption Algorithm : AES_CBC_128

Phase 2 Hash Algorithm : SHA1

Phase 2 PFS Group : MODP1024

0 Kudos
In response to endrianusgohan
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 9 2021 1:19 AM
‎May 9 2021 1:19 AM

What is the actual issue?  VPN builds and fails, VPN never works, etc?

 

What do the logs on both ends say?

0 Kudos
In response to PhilipDAth
endrianusgohan
Getting noticed
‎May 9 2021 1:37 AM
‎May 9 2021 1:37 AM

In Cisco Meraki, I got this log attached below. 

endrianusgohan_0-1620549114225.png

 

For Grandstream GWN7000, I got this log attached below. 

endrianusgohan_1-1620549387692.png

 

At the HQ side, it keeps deleting SA key. At the branch side, it keeps reconnecting and won't authorized. I suspicious that it has something to do with meraki settings. It works if I downgrade the meraki firmware to 14.53. After I upgrade, suddenly it won't connect. 

0 Kudos
In response to endrianusgohan
Bruce
Kind of a big deal
‎May 9 2021 2:00 AM
‎May 9 2021 2:00 AM

Did you see this in the MX15 release notes?

3768E55E-D09F-463B-802B-F929BA721874.jpeg

In response to Bruce
endrianusgohan
Getting noticed
‎May 9 2021 3:30 AM
‎May 9 2021 3:30 AM

Hi Bruce, 

 

I've just noticed it. Thank you for the help. 

But what value do I need to fill in the remote ID field, because there is no local ID in the grandstream device. I've try to enter the Public IP and FQDN value but still won't work. 

 

Any idea ? 

0 Kudos
In response to endrianusgohan
Bruce
Kind of a big deal
‎May 9 2021 4:00 AM
‎May 9 2021 4:00 AM

It’s hard to say if the Grandstream doesn’t have a specific Local ID parameter. It could use its hostname, it’s IP address (the public one, or the private one), or some other parameter that you configure on the device. Have a look at the ‘non-Meraki VPN peers’ section of this document for some suggestions, https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings 

0 Kudos
In response to Bruce
endrianusgohan
Getting noticed
‎May 9 2021 4:15 AM
‎May 9 2021 4:15 AM

Hi Bruce, 

 

It works now by entering the IP Private of the remote peers. 

 

Thanks for the help.

In response to endrianusgohan
RB___
Here to help
‎May 13 2021 9:44 PM
‎May 13 2021 9:44 PM

Hey @endrianusgohan! I seem to be experiencing the same issue as you did, but haven't gotten mine to work. Could you provide me with the exact Remote ID config that you used on the MX? For example in my case the peer has public IP 207.16.X.X, and only a single LAN with the peer being 10.1.1.1 (10.1.1.0/24 being the remote subnet I am trying to reach). So in my case would I configure 10.1.1.1 as the Remote ID on the Meraki? Any clarity you can provide would be greatly appreciated!

 

0 Kudos
In response to RB___
endrianusgohan
Getting noticed
‎May 13 2021 9:55 PM
‎May 13 2021 9:55 PM

Hi @RB___ , 

 

I use the private IP of the ONT Modem from the ISP of the remote non-meraki router. 

 

If your IP is behind the NAT, you can use that Private IP Address as your remote ID. 

 

You should try. Hope it works for you too. 

0 Kudos
In response to Bruce
jay_b
Getting noticed
‎Aug 24 2021 11:51 AM
‎Aug 24 2021 11:51 AM

Hello Bruce,

 

I am facing same issue. We have AWS on other side. Do you know what we can use as remote ID for AWS?

0 Kudos
In response to jay_b
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 24 2021 1:15 PM
‎Aug 24 2021 1:15 PM

Most likely, it will be the public IP address of the AWS peer.

0 Kudos
In response to PhilipDAth
jay_b
Getting noticed
‎Aug 24 2021 2:52 PM
‎Aug 24 2021 2:52 PM

Hello @PhilipDAth . Thank you for your quick response.  So it is going to be same as Public IP field, right ?

 

jay_b_0-1629841934491.png

 

0 Kudos
In response to jay_b
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 24 2021 3:36 PM
‎Aug 24 2021 3:36 PM

99% likely, yes.

0 Kudos
Jeizzen
Getting noticed
‎Sep 15 2021 8:32 AM
‎Sep 15 2021 8:32 AM

Here is a note from Meraki, and it worked, even if we have 1 MX and 1 Watchguard instead of the 2 MXs in their explanation

 

When configuring NMVPN connections between 2 MXs in different organizations that are running MX15 code and above that are not using a UserFQDN and are NATed behind an upstream device, please ensure that the remote ID field of the NMVPN peer is filled out with the private IP address of the remote NATed MX.

 

Our setup:

 

1rst site: an MX that is NATed behind another device, getting 192.168.x.x on its Internet port

 

2nd site : Watchguard with ISP Public IP

 

 

At both sites, we had Remote ID parameters configured with both Public IP

 

S2S non-meraki vpn nerver came up, until we configured the remote ID field in Watchguard with the 192.168.x.x of the Meraki.

 

S2S VPN came up right away

LutzTech
Comes here often
‎Sep 16 2021 10:10 PM
‎Sep 16 2021 10:10 PM

Here is the issue:

the far end firewall (near end is your meraki) has an IP on the interface that receives the VPN connection (the WAN interface) that is not the Public IP that the near end/meraki is connecting to

(this can be because the far end firewall is double-NATed, etc)

you will put the interface ip of the far end firewall as the "Remote ID" on the meraki vpn config

 

for example

 

far end: ASA in Azure, with interface IP (WAN) of 10.20.30.40, and azure public ip "resource" of 55.66.77.88

 

near end: meraki, vpn config with

public ip = 55.66.77.88

remote id = 10.20.30.40

 

Normally the remote id is assumed to be the remote public ip, but if the interface ip is not the public ip, you will have to specify the interface ip as the remote id

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.