Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IKE Negotiation Phase does not start for Site-to-Site VPN with Non Meraki Peer

Solved
Sasuke-NX
Comes here often
‎Apr 30 2022 6:21 PM
‎Apr 30 2022 6:21 PM

IKE Negotiation Phase does not start for Site-to-Site VPN with Non Meraki Peer

Hello

 

I am having trouble initiating IKE negotiation with non Meraki peer.
I would appreciate very much if anyone can help me with this.

I have created a non Meraki peer and save, under site-to-site VPN in the dashboard, but the Event log shows no activity regarding non Meraki VPN. (i.e. Event Type = "Non-Meraki / Client VPN negotiation")
I believe, it is supposed to show "msg initiate new phase 1 negotiation", at least, regardless whether negotiation succeeds or fails, but no log is recorded. (Other logs like DHCP or WEP activities are logged.) 

I also pinged destination subnet in order to "trigger" the negotiation, but no luck.

 

1. Did I miss any fundamental setting to "enable" or "initiate" IKE session?

 

2. I am currently testing this "non Meraki VPN", in the different environment than actual environment to implement.

The differences between current test environment and Live environment are;

<TEST environment>

Model : MX65W (firm:16.16)

WAN : PPPoE with "Dynamic" IP assignment 

<LIVE environment>

Model : MX68CW  (firm:16.16)

WAN : PPPoE with "Static" IP assignment 
I am not sure whether the IP assignment would make any difference in terms of initiating IKE session.

Any other suggestion would be also appreciated. 

Thank you

Labels:
0 Kudos
Subscribe
1 Accepted Solution
In response to Sasuke-NX
KarstenI
Kind of a big deal
Kind of a big deal
‎May 2 2022 11:41 PM
‎May 2 2022 11:41 PM

I think it's time to open a support case with Meraki.

View solution in original post

0 Kudos
Subscribe
10 Replies 10
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 30 2022 11:33 PM
‎Apr 30 2022 11:33 PM

Do a packet Capture on the.Internet-Port and then trigger the VPN with some traffic.

  • Do you see any IKE communication?
  • Is your peer configured with your temporary public IP?
  • Is your Site-to-site outbound firewall allowing the traffic?
0 Kudos
Subscribe
In response to KarstenI
Sasuke-NX
Comes here often
‎May 1 2022 12:55 AM
‎May 1 2022 12:55 AM

Hello, Karstenl, and thank you for helping me on this.

I have done the packet capture on the internet interface, and pinged the remote subnet.

  • Do you see any IKE communication?
    > No, the event log still doesn't show anything on the IKE communication. 
  • Is your peer configured with your temporary public IP?
    > You mean the WAN interface obtained public IP? If so, Yes, it shows on "Appliance Status page"
    SasukeNX_1-1651391213706.png

     

  • Is your Site-to-site outbound firewall allowing the traffic?
    > I left it as default. (Allow "Any to Any" for "Any ports")
    SasukeNX_0-1651391037790.png

     

FYI, below is how I add the non Meraki peer, and "Nothing Else". 

SasukeNX_3-1651391502209.png

Am I missing something?

0 Kudos
Subscribe
In response to Sasuke-NX
KarstenI
Kind of a big deal
Kind of a big deal
‎May 1 2022 1:42 AM
‎May 1 2022 1:42 AM

The question is if you see anything in the packet capture:

 

08:37:32.564434 IP 192.168.177.250.500 > 1.2.3.4.500: isakmp: phase 1 I ident

 

If you don't see this, the problem is on your side. If you see it and nothing comes back, the problem is likely on the other side.

 

Do you have your local subnet enabled for VPN?

KarstenI_0-1651394427228.png

 

And not related to this problem, but to make it easier in the future:

You should tag the network and use that Tag in the Availability field to restrict the VPN to this particular site.

 

 

0 Kudos
Subscribe
In response to KarstenI
Sasuke-NX
Comes here often
‎May 1 2022 2:46 AM
‎May 1 2022 2:46 AM

As you say, I believe the problem is on my side.

I don't see the phase 1 line in the packet capture.

I believe nothing is initiated on my side.

 

As for subnet, Yes, I enabled it.

SasukeNX_0-1651397911758.png

 

So, Am I correct that If I configure on the Site-to-Site VPN as below, and then, no other configuration is required, and it is supposed to initiate the IKE Phase 1?

SasukeNX_3-1651398540951.png


The network diagram below is what I am trying to achieve but there is nothing wrong with this, correct?

SasukeNX_2-1651398397027.png

 

 

If so, is it possible that it is designed NOT TO INITIATE, if the Public IP on WAN interface is obtained dynamically, not Statically? 

0 Kudos
Subscribe
In response to Sasuke-NX
KarstenI
Kind of a big deal
Kind of a big deal
‎May 1 2022 2:41 PM
‎May 1 2022 2:41 PM

The dynamically obtained IP is fine.

The IP subnets in your diagram and config do not match. Could that be the problem? Is your trigger traffic coming from the right subnet and does it reach the MX?

0 Kudos
Subscribe
In response to KarstenI
Sasuke-NX
Comes here often
‎May 1 2022 4:12 PM
‎May 1 2022 4:12 PM

Sorry. the diagram was picked up from internet, just to show the topology.

Here is the diagram with correct information. (same as I setup in the dashboard.)

SasukeNX_1-1651446110981.png

(Question)

Is IKE communication supposed to be initiated, even if;

*WAN interface obtained dynamic IP through PPPoE?

*Remote peer is offline?

 

Also, Is there any setting I need on the peer on my side? I added the remote peer and nothing else.

 

I really appreciate your time and effort on this, Karstenl.

0 Kudos
Subscribe
In response to Sasuke-NX
KarstenI
Kind of a big deal
Kind of a big deal
‎May 2 2022 10:17 AM
‎May 2 2022 10:17 AM

"WAN interface obtained dynamic IP through PPPoE?"

Yes, That is ok for the MX.

 

*Remote peer is offline?"

The MX has no knowledge if the remote side is offline or not. That is ok for every VPN-Gateway.

 

Please capture on your LAN interface of the MX if you see the incoming traffic that should trigger the VPN. (traffic from local to remote LAN)

0 Kudos
Subscribe
In response to KarstenI
Sasuke-NX
Comes here often
‎May 2 2022 4:49 PM
‎May 2 2022 4:49 PM

I captured on LAN and pinged from local LAN to remote LAN, but all I captured was ping traffic.

 

Echo (ping) request id=0x0001, seq=2229/46344, ttl=128 (no response found!)

 

No IKE session related communication was found.

 

So the ping is not triggering the VPN... Why would it be...

0 Kudos
Subscribe
In response to Sasuke-NX
KarstenI
Kind of a big deal
Kind of a big deal
‎May 2 2022 11:41 PM
‎May 2 2022 11:41 PM

I think it's time to open a support case with Meraki.

0 Kudos
Subscribe
In response to KarstenI
Sasuke-NX
Comes here often
‎May 3 2022 7:12 AM
‎May 3 2022 7:12 AM

Hi, Karstenl

 

Yes. I opened ticket and I managed to find the isakmp traffic in the capture.

It seems like the remote peer did not like my proposal, it did return "No Proposal Chosen" message and terminated the sequence, therefore no log was generated in the Event Log.

 

Thank you very much for your help. I really appreciate your kind support, and being bearing with me when my network knowledge was limited...

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.