Hello
I am having trouble initiating IKE negotiation with non Meraki peer.
I would appreciate very much if anyone can help me with this.
I have created a non Meraki peer and save, under site-to-site VPN in the dashboard, but the Event log shows no activity regarding non Meraki VPN. (i.e. Event Type = "Non-Meraki / Client VPN negotiation")
I believe, it is supposed to show "msg initiate new phase 1 negotiation", at least, regardless whether negotiation succeeds or fails, but no log is recorded. (Other logs like DHCP or WEP activities are logged.)
I also pinged destination subnet in order to "trigger" the negotiation, but no luck.
1. Did I miss any fundamental setting to "enable" or "initiate" IKE session?
2. I am currently testing this "non Meraki VPN", in the different environment than actual environment to implement.
The differences between current test environment and Live environment are;
<TEST environment>
Model : MX65W (firm:16.16)
WAN : PPPoE with "Dynamic" IP assignment
<LIVE environment>
Model : MX68CW (firm:16.16)
WAN : PPPoE with "Static" IP assignment
I am not sure whether the IP assignment would make any difference in terms of initiating IKE session.
Any other suggestion would be also appreciated.
Thank you
Solved! Go to solution.
I think it's time to open a support case with Meraki.
Do a packet Capture on the.Internet-Port and then trigger the VPN with some traffic.
Hello, Karstenl, and thank you for helping me on this.
I have done the packet capture on the internet interface, and pinged the remote subnet.
FYI, below is how I add the non Meraki peer, and "Nothing Else".
Am I missing something?
The question is if you see anything in the packet capture:
08:37:32.564434 IP 192.168.177.250.500 > 1.2.3.4.500: isakmp: phase 1 I ident
If you don't see this, the problem is on your side. If you see it and nothing comes back, the problem is likely on the other side.
Do you have your local subnet enabled for VPN?
And not related to this problem, but to make it easier in the future:
You should tag the network and use that Tag in the Availability field to restrict the VPN to this particular site.
As you say, I believe the problem is on my side.
I don't see the phase 1 line in the packet capture.
I believe nothing is initiated on my side.
As for subnet, Yes, I enabled it.
So, Am I correct that If I configure on the Site-to-Site VPN as below, and then, no other configuration is required, and it is supposed to initiate the IKE Phase 1?
The network diagram below is what I am trying to achieve but there is nothing wrong with this, correct?
If so, is it possible that it is designed NOT TO INITIATE, if the Public IP on WAN interface is obtained dynamically, not Statically?
The dynamically obtained IP is fine.
The IP subnets in your diagram and config do not match. Could that be the problem? Is your trigger traffic coming from the right subnet and does it reach the MX?
Sorry. the diagram was picked up from internet, just to show the topology.
Here is the diagram with correct information. (same as I setup in the dashboard.)
(Question)
Is IKE communication supposed to be initiated, even if;
*WAN interface obtained dynamic IP through PPPoE?
*Remote peer is offline?
Also, Is there any setting I need on the peer on my side? I added the remote peer and nothing else.
I really appreciate your time and effort on this, Karstenl.
"WAN interface obtained dynamic IP through PPPoE?"
Yes, That is ok for the MX.
*Remote peer is offline?"
The MX has no knowledge if the remote side is offline or not. That is ok for every VPN-Gateway.
Please capture on your LAN interface of the MX if you see the incoming traffic that should trigger the VPN. (traffic from local to remote LAN)
I captured on LAN and pinged from local LAN to remote LAN, but all I captured was ping traffic.
Echo (ping) request id=0x0001, seq=2229/46344, ttl=128 (no response found!)
No IKE session related communication was found.
So the ping is not triggering the VPN... Why would it be...
I think it's time to open a support case with Meraki.
Hi, Karstenl
Yes. I opened ticket and I managed to find the isakmp traffic in the capture.
It seems like the remote peer did not like my proposal, it did return "No Proposal Chosen" message and terminated the sequence, therefore no log was generated in the Event Log.
Thank you very much for your help. I really appreciate your kind support, and being bearing with me when my network knowledge was limited...