Help troubleshooting site VPN with Oracle Cloud - tunnel established but with errors

SamW
Comes here often

Help troubleshooting site VPN with Oracle Cloud - tunnel established but with errors

We have a site VPN set up on our Meraki MX250 with a software vendor using Oracle Cloud.  The VPN connects fine as far as we can tell.  The application running through the tunnel works too, but with intermittent hiccups.  In the MX250 event log, I do not see any errors (that I can tell).  On the Oracle side, they do see errors and believe the errors are causing the hiccups (dropped packets).

 

Below is an excerpt from the Oracle error log.  I see ikev1 error <14>, which I believe indicates a Phase 2 mismatch?  But if there is a mismatch, how does the tunnel come up in the first place?  And could this cause data to be intermittently dropped?  Am I going down the wrong path thinking it is a Phase 2 issue?

 

I have more details from the Oracle error log if needed.  Thanks in advance for your help!

 

Screen Shot 2022-09-21 at 2.14.46 PM.png

3 REPLIES 3
alemabrahao
Kind of a big deal
Kind of a big deal

Hi,

 

First check that all parameters are the same (Diffie-Hellman group, Lifetime, etc.)

Second, It is a good practice for the lifetime in phase 2 to be less than in phase 1.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
SamW
Comes here often

I think I finally found out which Phase 2 parameter doesn't match, causing the Meraki MX to keep sending NO_PROPOSAL_CHOSEN back to Oracle.  Oracle Support told me this:

 

If using GCM, no authentication algorithm is required because authentication is included with GCM encryption. However, Meraki does not have AES-256-GCM for phase 2 encryption, so an authentication algorithm is required. The following options are supported:

 

- HMAC-SHA-256-128 (recommended)

- HMAC-SHA1-128

 

But the cryptographic technique HMAC is absent for Meraki as well.The messages like

 

set ikev1 error <14>

received and ignored notification payload: NO_PROPOSAL_CHOSEN

 

will come up whenever the Phase 2 is reached.

 

I must find a solution and cannot just replace our newly purchased MX250.  Oracle has a list of "Verified CPE Devices" which include Fortinet, and we have a spare Fortigate 60F.

 

Any concerns with putting the 60F behind the MX250 and trying to establish the VPN connection between Oracle and the 60F?

alemabrahao
Kind of a big deal
Kind of a big deal

Well, this is not the best solution but it should work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels