Meraki

Community

Meraki MX68 to Ubiquiti EdgeRouter Lite VPN not working (non-Meraki VPN troubles)

Solved
RB___
Here to help
‎May 11 2021 7:02 PM
‎May 11 2021 7:02 PM

Meraki MX68 to Ubiquiti EdgeRouter Lite VPN not working (non-Meraki VPN troubles)

Hi guys,

 

I am having a very difficult time to get a VPN tunnel up between my EdgeRouter Lite and my Meraki MX68 firewalls. No matter the settings I change I can't seem to be able to pass traffic over the VPN tunnel site to site. I am using IKEv1 on both devices. The shared secret is definitely correct on both ends.

 

These are the VPN settings I am using on the Meraki MX68:

 

  • Phase 1 Configs
    • AES 128
    • SHA 1
    • DH Group 14
    • Lifetime (seconds) 28800

 

  • Phase 2 Configs
    • AES 128
    • SHA 1
    • PFS Group Disable
    • Lifetime (seconds) 3600
    • Remote Subnet: 10.1.1.0/24

 

And these are the VPN settings I am using on the EdgeRouter Lite. I was not able to change any other config options through the GUI (I am not skilled enough to configure it through the CLI)

  • AES 128
  • SHA1
  • DH Group 14
  • Local Subnet: 10.1.1.0/24
  • Remote Subnet: 10.2.1.0/24

 

From what I know these configurations should work but I just can't seem to get traffic to go over the tunnel. I've tried changing the DH group, lifetime values, enable PFS on the Meraki end for Group 1 etc. Anyone have any insight or experience with and EdgeRoute Lite to Meraki VPN before?

 

 

Honestly any support will help at this point as I've spent all day on this. I tried getting Meraki support to assist as well and all they mentioned was that Phase 1 was establishing but not Phase 2.

 

Thank you,

Ryan

0 Kudos
1 Accepted Solution
In response to RB___
Bruce
Kind of a big deal
‎May 13 2021 1:21 PM
‎May 13 2021 1:21 PM

There was another post in the community where tunnels were failing to establish because the Local ID and Remote ID on the peer configurations weren’t matching at each end. The more recent MX firmwares are strict on these matches. Not sure if that’s the issue here, but might be worth checking.

View solution in original post

9 Replies 9
MarcP
Kind of a big deal
‎May 12 2021 1:24 AM
‎May 12 2021 1:24 AM

Any FW-Rule blocking something?

 

Made the correct local subnet on MX site?

 

PFS disabled?

 

Correct public IPs?

 

ISP Router maybe needs to forward udp-4500 / 500 ?

 

Whats the logging showing, where it has its problem to get up the VPN Tunnel?

In response to MarcP
RB___
Here to help
‎May 12 2021 7:39 AM
‎May 12 2021 7:39 AM

Hey Marc,

 

So I was replacing an existing EdgeRouter Lite with the MX68. the EdgeRouter Lite had the VPN tunnel established originally so shouldn't be an issue with FW rules or the ISP router blocking the IPsec ports.

 

Definitely have the correct subnet on the MX68 side and it is enabled (on) for S2S VPN as well. Public IPs are all good as well.

 

The one thing that may cause an issue is PFS. So originally I saw that PFS was off on Meraki, but appeared enabled on the EdgeRouter Lite. So I enabled PFS on the MX68 but that didn't seem successful. Should I try with disabling PFS on both devices instead?

 

When I check the event log on the Meraki it appears that Phase 1 is successful but Phase 2 is failing. These seem to be the errors I am getting:

RB____0-1620830337031.png

 

THanks,

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎May 12 2021 3:04 PM
‎May 12 2021 3:04 PM

Are you sure both sides are using the same PSK?

In response to PhilipDAth
RB___
Here to help
‎May 13 2021 6:50 AM
‎May 13 2021 6:50 AM

Should be. I remember copy and pasting the PSK again on each end when I was trying to bring it up. I will be trying it again this coming Monday.

 

I will first be trying to do it with PFS disabled, since I have read that sometimes that causes problems. And I will be sure to take packet captures this time to see the packet info.

 

Thanks!

0 Kudos
In response to RB___
Bruce
Kind of a big deal
‎May 13 2021 1:21 PM
‎May 13 2021 1:21 PM

There was another post in the community where tunnels were failing to establish because the Local ID and Remote ID on the peer configurations weren’t matching at each end. The more recent MX firmwares are strict on these matches. Not sure if that’s the issue here, but might be worth checking.

In response to Bruce
RB___
Here to help
‎May 13 2021 2:13 PM
‎May 13 2021 2:13 PM

Interesting point Bruce thanks! I am on the newest 15.42.1 firmware for the MX68. I currently do not have the Local or Remote ID configured for the  peer on the MX68 (Just obviously the public IP that the peer has). 

 

I do not see anywhere on the Ubiquiti end where I can configure a Local or Remote ID but I will have another look. Their GUI is not friendly... and the user guide documents are not detailed enough.

 

Thanks!

0 Kudos
In response to RB___
Bruce
Kind of a big deal
‎May 13 2021 2:19 PM
‎May 13 2021 2:19 PM

The other post is here, https://community.meraki.com/t5/Security-SD-WAN/Firmware-15-42-1-problem-in-non-meraki-vpn-peers-MX6.... In that instance they had to configure the MX with RemoteID for the peer matching the IP address configured on the other end, which was actually a private IP address due to a NAT.

In response to Bruce
RB___
Here to help
‎May 13 2021 9:42 PM
‎May 13 2021 9:42 PM

Oh this could be something! I am going to try this tomorrow and see if it works. Fingers crossed! Will updated when I can

In response to Bruce
RB___
Here to help
‎May 14 2021 11:56 AM
‎May 14 2021 11:56 AM

That was it!

 

So for anyone else stumbling on this post what I had to do was configure the Remote ID field the same as the Public IP field of the peer on the MX68. Once I did that and all the other settings were matching the tunnel came up instantly and I was able to pass traffic. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.