cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Here to help

IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Dear all,

Is their anyone who has successfully setup a VPN tunnel between  a cisco router and MX. I seem not to have a break through.

Phase one is coming up but phase 2 its not. Please share if their is any work around.

6 REPLIES 6
Ben
A model citizen

Re: IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Can u post your config here of your VPN tunnel? This is a bit easier to help you out.

make sure it's ikeV1 instead of ikeV2.

 

I'm not sure if the 1941 router has the same sort of configuration as a 2811 but here below you have a site to site documentation of this setup

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Cisco_2811_router_for_Site-to-site_...

 

 

Cheers,

Ben

 

 

 

 

Here to help

Re: IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

 

Phase 1

 

crypto isakmp policy 20
encr aes 256
authentication pre-share
group 5
lifetime 28800

 

crypto ipsec transform-set eTransform esp-3des esp-sha-hmac

 

crypto map EMSA_NBI 1 ipsec-isakmp
set peer x.x.x.x
set security-association lifetime seconds 86400
set transform-set ETransform
match address IPSECVPN

 

acl

ip access-list extended IPSECVPN
permit ip 192.168.0.0 0.0.0.255 10.10.11.0 0.0.0.255

 

 

 

MX VPN.JPG

 

 

 

Kind of a big deal

Re: IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Thre PFS group for phase 2 does not match.  Set it to "off" in the Meraki dashboard to make it match the routers config.

 

Does note that no one should be using 3DES for new deployments.  Also note that the MX has poor 3DES throughput.

Here to help

Re: IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

Hi all ,
I am still yet to get through with the setup. Can someone advise
Kind of a big deal

Re: IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

What does the event log say? There should be some errors in there that might help. 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

 

If you're failing phase 2 then most common is usually mismatched encryption domains. I usually start there. I also see PFS group 1 is set on the MX, but I don't see it in your 1941 config.

Ben
A model citizen

Re: IPSEC VPN Tunnel betwenn Cisco 1941 router and an MX

@The_Livingstone  can u disable the pfs group and provide us with some feedback?

 

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.