Meraki MX68W and Sonicwall VPN issue

SOLVED
fcbob
Comes here often

Meraki MX68W and Sonicwall VPN issue

Hi Gurus, 
I am trying to establish a vpn between Meraki and non-meraki devices however I am having issues. 
I tried with Meraki MX68W and Forcepoint and that did not work. 

Then I tried with Meraki MX68W and Sonicwall and this didn't work either. 

Tried with both IKEv1 and IKEv2 but no luck

While checking events log on Meraki, I can see message confirming FIPS mode disabled. 

 

 

Any suggestion how to fix this or enable FIPS? 

 

Regards

1 ACCEPTED SOLUTION
alemabrahao
Kind of a big deal
Kind of a big deal

The MX is behind a NAT, It's under a firewall or router (where MX is installed). You have to check if the ports are allowed on firewall or router. 

 

If yes you have to check with your ISP (where MX is installed) to check there are some blocking.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

38 REPLIES 38
alemabrahao
Kind of a big deal
Kind of a big deal

Check these information:

 

https://community.meraki.com/t5/Security-SD-WAN/Non-Meraki-VPN-negotiation-msg-FIPS-mode-disabled/m-...

 

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Device_to_Clou...

 

alemabrahao_0-1666138973158.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Hi Alemabrahao, 
Thank you for those two links. I have already gone through these links earlier and still facing issues. 

1. I don't see an option of FIPS configuration under  Network-wide -> General. 

    Our Current version is : MX 16.16

2. I have configured exactly same as per above link however on Sonicwall I can see error message as: 
    Message Received notify. NO_PROPOSAL_CHOSEN
3. Under Network-wide>>Event log >> All Non-Meraki / Client VPN, I can see following error:
Event type: Non-Meraki / Client VPN Negotiation
Details: msg: FIPS mode disabled

Not quite sure if this FIPS is causing an issue here. 

 

Any suggestion will be highly appreciated. 

 

Regards,


    

alemabrahao
Kind of a big deal
Kind of a big deal

You don't need to enable FIPS, but you have to configure the IPsec policies password greater than 14 characters, Authentication cannot be MD5, Diffie-Hellman Group must be 14, Phase 2 encryption cannot be NULL and PFS can be configured to be either off or 14.


Set the configuration as recommended on both sides and It will work as expected.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Hi Alemabrahao, 
I have configured on both sides as per above, however still getting error message. 
This is the message I received on Sonicwall: 

Time 11:42:45 Oct 19
ID 973
Category VPN
Group VPN IKEv2
Event Initiator: Received IKE_SA_INT Response
Msg. Type Standard Note String
Priority Inform
Message IKEv2 Initiator: Received IKE_SA_INT response
Src. Name xx.xx.xx.xx ( Meraki Public IP )
Dst. Name
Notes VPN Policy: VPN_Meraki_D_Test;

 

Time 11:39:06 Oct 19
ID 983
Category VPN
Group VPN IKEv2
Event Received Notify Error Payload
Msg. Type Standard Note String
Priority Warning
Message IKEv2 Received notify error payload
Src. Name xx.xx.xx.xx ( Meraki Public IP )
Dst. Name
Notes VPN Policy: VPN_Meraki_D_Test; No Proposal Chosen

 

Time 11:42:15 Oct 19
ID 972
Category VPN
Group VPN IKEv2
Event Initiator: Retransmit IKEv2 Request Due to Remote Party Timeout
Msg. Type Standard Note String
Priority Inform
Message IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request.
Src. Name
Dst. Name xx.xx.xx.xx ( Meraki Public IP )
Notes VPN Policy: VPN_Meraki_D_Test;

 

Any suggestions where to check on Meraki side for the specific site-to-site VPN logs?

 

Regads,

alemabrahao
Kind of a big deal
Kind of a big deal

Use IKEv1 and configure it like this:

 

alemabrahao_0-1666180211576.png

Configure the shared secret (password greater than 14 characters) with no special characters at the beginning or end.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Hi Alemabrahao, 

 

Appreciate your quick and prompt response. 

Please see below config on Meraki: 

fcbob_0-1666181199550.png

pre-shared key: Thankyouforhelping19

 

fcbob_1-1666181419028.png

Public IP : Sonicwall public IP

Private subnets: Lan subnets from Sonicwall

 

On Sonicwall logs, I can see following: 

fcbob_2-1666181726588.png

Sonicwall VPN config: 

fcbob_3-1666181868284.png

IPSec Primary Gateway / Name or Address: Meraki Public IP

Local IKE ID: public IP of Sonicwall

Peer IKE ID: public IP of Meraki

fcbob_4-1666181968470.pngfcbob_5-1666182008010.png

X1 interface on Sonicwall is WAN interface. 

Still cannot see VPN established. 
Any further suggestions please ? 

 

Regards,

alemabrahao
Kind of a big deal
Kind of a big deal

The IKE Initiator: Remote Party timeout log shows several timeout messages and IKE negotiation aborted due to timeout after a short delay, indicates that there is a communication problem or the Initiator and Responder are unable to complete the Phase 1 negotiations.

 

If you receive an IKE Initiator: No response--remote party timeout error,Checking the logs on the Responder SonicWall will clearly display the exact problem, ensure that the Proposals are identical on both the VPN policies.

 

If no log messages are available for the Initiator VPN device, then follow these steps:

Ensure that the Enable VPN option is checked under Manage | VPN | Base Settings| VPN Global Settings and the appropriate VPN policy is enabled.
Network connectivity between units.

TIP: You may try to connect via GVC software if GroupVPN is configured on the SonicWall.
IPSec Gateway address in Initiator SA specifies WAN address of IKE Responder.
If you are using FQDN in the IPSec Gateway Name or Address field, ensure that FQDN resolves to WAN address of IKE Responder.
IKE access rules enabled.
No other firewalls in the path are blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
Contact ISP to see if they're blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
If using SonicOS Standard with Aggressive Mode VPN, make sure the remote end’s firewall name is specified on the host firewall’s VPN policy.
If the VPN Tunnel is being established with a 3rd Party VPN device, then make sure that NAT – T is disabled (in case there is no NAT device in front of the SonicWall) .
Check the Local and Peer IKE IDs in the VPN policy if you have setup the Site to Site VPN Policy between the SonicOS Enhanced and Standard firewall.
Click Advanced tab of the VPN Policy, set VPN to bind to Zone WAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Hi , 
this is the VPN status on Meraki: 

fcbob_0-1666182876314.png

Public IP highlighted in black is public IP of Sonicwall
NAT Type friendly highlighted in black is public IP of Meraki

will this help to figure out why VPN isn't establishing? 

 

Regards,

 

alemabrahao
Kind of a big deal
Kind of a big deal

You Meraki is under a NAT. 🤔

 

I don't know if the MX is behind another firewall, but if it is, you have to validate that ports 500 and 4500 are allowed.

Is the 10.10.196.0/24 network the local network at the site where Sonicwall is?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Hi Alemabrahao, 

As always, appreciate your support here. 

We have confirmed that there is no firewall before MX and all ports are open. 

yes, 10.10.196.0/24 is the local network at sonicwall side. 

 

Still not been able to establish a site-to-site VPN between Meraki and Sonicwall. 

alemabrahao
Kind of a big deal
Kind of a big deal

 

I don't think It's a Meraki issue, It's behind NAT. Is It possible to configure Public IP on Meraki?

 

alemabrahao_0-1666191081129.png

 

Have you tried to perform a packet capture on Meraki WAN interface?

 

I tested It in my home (It's behind NAT too) and worked as expected.

 

Are o sure that you don't have firewall blocking ports 500 and 4500?

 

Can you send me a simple topology to try to understand?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Hi alemabrahao


Our sonic wall also got another VPN with forcepoint and everything is working fine. 
We have checked the policy and required ports are open . 
I have also checked with aggressive mode on Sonic wall and same error logs seen , provided earlier. 
I believe its Meraki which is acting here bit funny. 
Any place where I can check VPN related logs only. 
All I can find is following on events log: 

fcbob_0-1666191609362.png

Regards,

alemabrahao
Kind of a big deal
Kind of a big deal

The MX is behind a NAT, It's under a firewall or router (where MX is installed). You have to check if the ports are allowed on firewall or router. 

 

If yes you have to check with your ISP (where MX is installed) to check there are some blocking.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Hi Alemabrahao, 
Again appreciate your prompt response. 
Seems you may be right as I need to find more details regarding clients connectivity which I don't have any visibility as of yet. 

Also, we had another MX in different location and while checking IP config for WAN, I could see that this new site got static public IP address configured. I gave a little try to configure VPN with the same sonicwall and looks that this has either established or dropped just after VPN established:

fcbob_0-1666193969822.png

VPN Status on Meraki: 

fcbob_1-1666194051541.png

On Sonicwall, I can see following:

fcbob_2-1666194255518.png

I will try to do further troubleshooting tomorrow. 

Thanks again for your support today. 

Regards

AlexP
Meraki Employee
Meraki Employee

A NO_PROPOSAL_CHOSEN message being received on your Sonicwall means the MX is rejecting the attempt in Phase 1.

 

You'll want to open a support case, as there's no more debugging that can be done using the logs on Dashboard unfortunately

fcbob
Comes here often

Hi Alemabrahao and AlexP, 

Thank you very much for your support on resolving this VPN issue between Meraki and Sonicwall. 
I have managed to successfully establish a site-to-site VPN with second meraki as this one had public IP address statically assigned to its WAN interface. 

Its IKEv2 with following config and works fine

fcbob_0-1666262316255.png

Issue with first Meraki is we have private IP assigned to its WAN interface . This means there's extra device ( firewall/router ) between Meraki and PE as Alemabrahao confirmed earlier. 

 

Thank you again for your support . 

 

Regards,

 

alemabrahao
Kind of a big deal
Kind of a big deal

Great news 😀.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AlexP
Meraki Employee
Meraki Employee

Private IPs do work, you just need to specify an Identity on each side, depending on your deployment. The issue is that the SonicWall probably isn't configured expect the MX to send its private IP as its identity, or, if it's ignoring that for whatever reason, it's sending the public IP as the ID it's expecting us to use, which the MX is not expecting, and rejecting the connection.

 

If you had planned on deploying the MX with a static private IP, just set that as the Local ID in Dashboard, and that should make it work behind a NAT without issue I would expect (may need to make some additional changes to your SonicWall to accommodate this as well)

fcbob
Comes here often

Hi Alex, 
Is this the place where I will be setting up the private IP of Meraki:

fcbob_0-1666356721245.png

Sorry, this is the first time working on Meraki and not quire sure how to set up site-to-site VPN on Meraki behind NAT and any other firewall ( can test with either sonicwall or forcepoint ). 

Regards,

alemabrahao
Kind of a big deal
Kind of a big deal

It's an optional setting.

The default behavior of the MX is to set remote_id to FQDN if it is not explicitly added in the dashboard "Non-Meraki VPN peers" settings. 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

This is false - those IDs are set to whatever IP address the MX is assigned, and the public IP of the peer in question respectively.

alemabrahao
Kind of a big deal
Kind of a big deal

I have never needed to set the Local ID to VPN work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Here is my config:

 

alemabrahao_0-1666366730546.png

 And as you can see It has been working well:

 

alemabrahao_1-1666366774342.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I'm not saying you need to set that. It is an optional value yes, but it does not default to an FQDN.

alemabrahao
Kind of a big deal
Kind of a big deal

So is the documentation wrong? 😅

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peerin...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

That documentation reflects new behavior on MX18 firmware if you want to resolve a peer via a DNS name - it will only default to that if you're putting a hostname in the remote IP field.

AlexP
Meraki Employee
Meraki Employee

That would be the spot yes, and then make sure your remote peer is configured to use that same ID as well

fcbob
Comes here often

Hi Alex and Alemabrahao, 
I am back with the same question. 
So VPN for Meraki which had public IP configured on its WAN interface is working fine. 
However another Meraki at different location which is behind NAT, I am required to configure VPN . 
Is there a way of achieving this as I have no visibility of what sits ( router or firewall ) between Meraki and PE. 

 

Thanks

alemabrahao
Kind of a big deal
Kind of a big deal

Hi @fcbob,

 

It should have to work behind NAT. Try define the remote ID on Meraki side with the Sonicwall IP:

 

alemabrahao_0-1668004859097.png

 

  • The Remote ID of the remote peer. This is an optional configuration and can be configured to the remote peer’s UserFQDN (e.g. user@domain.com), FQDN (e.g. www.example.com) or IPv4 address as needed.
    • Which of these values you use is dependent upon your remote device. Please consult its documentation to learn what values it is capable of specifying as its remote ID, and how to configure them (e.g. crypto isakmp identity for ASA firewalls

 

https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Sonicwall_Site-to-Site_VPN_Setup

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AlexP
Meraki Employee
Meraki Employee

In this case, you have two options, depending on the nature of your setup:

  1. Configure the non-Meraki device to expect the private IP address of your primary uplink on the MX as the presented ID
  2. Configure the peering on Dashboard so that the LocalID of the MX is whatever public IP its traffic is getting NAT'd to
fcbob
Comes here often

Hi Both, 
Thanks again for your quick support. 
@alemabrahao, as per your comment, seems I will have to add peer IKE ID ( private IP address of Meraki ) on Sonicwall 

Also, remote ID on Meraki ( public IP of sonicwall ). 

 

@Alex, for point A: I believe I will have to add peer IKE ID ( Private IP address of Meraki ) , 

            for point B: can you please outline the steps of configuring the peering on Dashboard. 

 

Sorry, first time dealing with meraki . 

 

Thanks 

fcbob
Comes here often

So, as per this document, I have configured on both side: 
https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Sonicwall_Site-to-Site_VPN_Setup

fcbob_0-1668014877635.pngfcbob_1-1668014911531.png

fcbob_2-1668014930225.png

 

 

These are the config on Meraki Side: 

fcbob_3-1668015039799.png

 

fcbob_4-1668015236416.png

 

fcbob_5-1668015275809.png

Kindly let me know if I am missing anywhere any config ? 

 

Regards

alemabrahao
Kind of a big deal
Kind of a big deal

Change encryption for AES, and follow these recommendations:

 

  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:

     

     

    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14 
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
fcbob
Comes here often

Made changes to following: 

fcbob_0-1668016108548.png

fcbob_1-1668016185519.png

Pre-shared key is greater than 14 

Still no joy 

As per Alex comment : 

  1. Configure the peering on Dashboard so that the LocalID of the MX is whatever public IP its traffic is getting NAT'd to

    Any chance of explaining how to achieve this ? 



alemabrahao
Kind of a big deal
Kind of a big deal

Open a support case.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
EdNunez
Comes here often

Make sure you are allowing all traffic from your sonicwall IP address in the upstream device that is NAting to your MX.

I had a though time deploying a Meraki vMX in Azure, since Azure gives you a NATed public IP address.  The biggest issue I had was that nowhere in the deployment documentation it's mentioned that you must allow all traffic from the IP address of any none Meraki peer you want to establish a VPN connection to in the Azure Network Security Group assigned to your vMX.

fcbob
Comes here often

Hi Alemabrahao, 

Any idea how to open a support case with Meraki ? 
I have dealt with Cisco in past raising TAC case however I don't have cisco account with my current company to raise TAC case with them directly. 

Do I need to have an account or can I raise on behalf of customer ( again customer doesn't have cisco account ) ? 

Regards,

alemabrahao
Kind of a big deal
Kind of a big deal

Go on Meraki dashboard, go to help and cases.

 

alemabrahao_0-1668083713910.pngalemabrahao_1-1668083727594.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels