Meraki

Community

IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

The_Livingstone
Here to help
‎Mar 5 2019 12:08 AM
‎Mar 5 2019 12:08 AM

IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Dear all,

Is their anyone who has successfully setup a VPN tunnel between  a cisco router and MX. I seem not to have a break through.

Phase one is coming up but phase 2 its not. Please share if their is any work around.

0 Kudos
6 Replies 6
Ben
A model citizen
‎Mar 5 2019 12:46 AM
‎Mar 5 2019 12:46 AM

Can u post your config here of your VPN tunnel? This is a bit easier to help you out.

make sure it's ikeV1 instead of ikeV2.

 

I'm not sure if the 1941 router has the same sort of configuration as a 2811 but here below you have a site to site documentation of this setup

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Cisco_2811_router_for_Site-to-site_...

 

 

Cheers,

Ben

 

 

 

 

0 Kudos
In response to Ben
The_Livingstone
Here to help
‎Mar 5 2019 1:03 AM
‎Mar 5 2019 1:03 AM

 

Phase 1

 

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 5
lifetime 28800

 

crypto ipsec transform-set eTransform esp-3des esp-sha-hmac

 

crypto map EMSA_NBI 1 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime seconds 86400
set transform-set ETransform
match address IPSECVPN

 

acl

ip access-list extended IPSECVPN
permit ip 192.168.0.0 0.0.0.255 10.10.11.0 0.0.0.255

 

 

 

MX VPN.JPG

 

 

 

0 Kudos
In response to The_Livingstone
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 5 2019 2:08 PM
‎Mar 5 2019 2:08 PM

Thre PFS group for phase 2 does not match.  Set it to "off" in the Meraki dashboard to make it match the routers config.

 

Does note that no one should be using 3DES for new deployments.  Also note that the MX has poor 3DES throughput.

The_Livingstone
Here to help
‎Mar 5 2019 5:51 AM
‎Mar 5 2019 5:51 AM

Hi all ,
I am still yet to get through with the setup. Can someone advise
0 Kudos
In response to The_Livingstone
jdsilva
Kind of a big deal
‎Mar 5 2019 10:29 AM
‎Mar 5 2019 10:29 AM

What does the event log say? There should be some errors in there that might help. 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

 

If you're failing phase 2 then most common is usually mismatched encryption domains. I usually start there. I also see PFS group 1 is set on the MX, but I don't see it in your 1941 config.

http://blog.brokennetwork.ca | @jdsilva
In response to The_Livingstone
Ben
A model citizen
‎Mar 5 2019 11:55 PM
‎Mar 5 2019 11:55 PM

@The_Livingstone  can u disable the pfs group and provide us with some feedback?

 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.