IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Here to help

IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Dear all,

Is their anyone who has successfully setup a VPN tunnel between  a cisco router and MX. I seem not to have a break through.

Phase one is coming up but phase 2 its not. Please share if their is any work around.

6 Replies 6
A model citizen

Can u post your config here of your VPN tunnel? This is a bit easier to help you out.

make sure it's ikeV1 instead of ikeV2.


I'm not sure if the 1941 router has the same sort of configuration as a 2811 but here below you have a site to site documentation of this setup











Phase 1


crypto isakmp policy 20
encr aes 256
authentication pre-share
group 5
lifetime 28800


crypto ipsec transform-set eTransform esp-3des esp-sha-hmac


crypto map EMSA_NBI 1 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime seconds 86400
set transform-set ETransform
match address IPSECVPN



ip access-list extended IPSECVPN
permit ip








Thre PFS group for phase 2 does not match.  Set it to "off" in the Meraki dashboard to make it match the routers config.


Does note that no one should be using 3DES for new deployments.  Also note that the MX has poor 3DES throughput.

Here to help

Hi all ,
I am still yet to get through with the setup. Can someone advise

What does the event log say? There should be some errors in there that might help. 




If you're failing phase 2 then most common is usually mismatched encryption domains. I usually start there. I also see PFS group 1 is set on the MX, but I don't see it in your 1941 config.

@The_Livingstone  can u disable the pfs group and provide us with some feedback?



Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.