Hi Gurus,
I am trying to establish a vpn between Meraki and non-meraki devices however I am having issues.
I tried with Meraki MX68W and Forcepoint and that did not work.
Then I tried with Meraki MX68W and Sonicwall and this didn't work either.
Tried with both IKEv1 and IKEv2 but no luck
While checking events log on Meraki, I can see message confirming FIPS mode disabled.
Any suggestion how to fix this or enable FIPS?
Regards
Solved! Go to solution.
The MX is behind a NAT, It's under a firewall or router (where MX is installed). You have to check if the ports are allowed on firewall or router.
If yes you have to check with your ISP (where MX is installed) to check there are some blocking.
Check these information:
Hi Alemabrahao,
Thank you for those two links. I have already gone through these links earlier and still facing issues.
1. I don't see an option of FIPS configuration under Network-wide -> General.
Our Current version is : MX 16.16
2. I have configured exactly same as per above link however on Sonicwall I can see error message as:
Message Received notify. NO_PROPOSAL_CHOSEN
3. Under Network-wide>>Event log >> All Non-Meraki / Client VPN, I can see following error:
Event type: Non-Meraki / Client VPN Negotiation
Details: msg: FIPS mode disabled
Not quite sure if this FIPS is causing an issue here.
Any suggestion will be highly appreciated.
Regards,
You don't need to enable FIPS, but you have to configure the IPsec policies password greater than 14 characters, Authentication cannot be MD5, Diffie-Hellman Group must be 14, Phase 2 encryption cannot be NULL and PFS can be configured to be either off or 14.
Set the configuration as recommended on both sides and It will work as expected.
Hi Alemabrahao,
I have configured on both sides as per above, however still getting error message.
This is the message I received on Sonicwall:
Time 11:42:45 Oct 19
ID 973
Category VPN
Group VPN IKEv2
Event Initiator: Received IKE_SA_INT Response
Msg. Type Standard Note String
Priority Inform
Message IKEv2 Initiator: Received IKE_SA_INT response
Src. Name xx.xx.xx.xx ( Meraki Public IP )
Dst. Name
Notes VPN Policy: VPN_Meraki_D_Test;
Time 11:39:06 Oct 19
ID 983
Category VPN
Group VPN IKEv2
Event Received Notify Error Payload
Msg. Type Standard Note String
Priority Warning
Message IKEv2 Received notify error payload
Src. Name xx.xx.xx.xx ( Meraki Public IP )
Dst. Name
Notes VPN Policy: VPN_Meraki_D_Test; No Proposal Chosen
Time 11:42:15 Oct 19
ID 972
Category VPN
Group VPN IKEv2
Event Initiator: Retransmit IKEv2 Request Due to Remote Party Timeout
Msg. Type Standard Note String
Priority Inform
Message IKEv2 Initiator: Remote party Timeout - Retransmitting IKEv2 Request.
Src. Name
Dst. Name xx.xx.xx.xx ( Meraki Public IP )
Notes VPN Policy: VPN_Meraki_D_Test;
Any suggestions where to check on Meraki side for the specific site-to-site VPN logs?
Regads,
Use IKEv1 and configure it like this:
Configure the shared secret (password greater than 14 characters) with no special characters at the beginning or end.
Hi Alemabrahao,
Appreciate your quick and prompt response.
Please see below config on Meraki:
pre-shared key: Thankyouforhelping19
Public IP : Sonicwall public IP
Private subnets: Lan subnets from Sonicwall
On Sonicwall logs, I can see following:
Sonicwall VPN config:
IPSec Primary Gateway / Name or Address: Meraki Public IP
Local IKE ID: public IP of Sonicwall
Peer IKE ID: public IP of Meraki
X1 interface on Sonicwall is WAN interface.
Still cannot see VPN established.
Any further suggestions please ?
Regards,
The IKE Initiator: Remote Party timeout log shows several timeout messages and IKE negotiation aborted due to timeout after a short delay, indicates that there is a communication problem or the Initiator and Responder are unable to complete the Phase 1 negotiations.
If you receive an IKE Initiator: No response--remote party timeout error,Checking the logs on the Responder SonicWall will clearly display the exact problem, ensure that the Proposals are identical on both the VPN policies.
If no log messages are available for the Initiator VPN device, then follow these steps:
Ensure that the Enable VPN option is checked under Manage | VPN | Base Settings| VPN Global Settings and the appropriate VPN policy is enabled.
Network connectivity between units.
TIP: You may try to connect via GVC software if GroupVPN is configured on the SonicWall.
IPSec Gateway address in Initiator SA specifies WAN address of IKE Responder.
If you are using FQDN in the IPSec Gateway Name or Address field, ensure that FQDN resolves to WAN address of IKE Responder.
IKE access rules enabled.
No other firewalls in the path are blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
Contact ISP to see if they're blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
If using SonicOS Standard with Aggressive Mode VPN, make sure the remote end’s firewall name is specified on the host firewall’s VPN policy.
If the VPN Tunnel is being established with a 3rd Party VPN device, then make sure that NAT – T is disabled (in case there is no NAT device in front of the SonicWall) .
Check the Local and Peer IKE IDs in the VPN policy if you have setup the Site to Site VPN Policy between the SonicOS Enhanced and Standard firewall.
Click Advanced tab of the VPN Policy, set VPN to bind to Zone WAN.
Hi ,
this is the VPN status on Meraki:
Public IP highlighted in black is public IP of Sonicwall
NAT Type friendly highlighted in black is public IP of Meraki
will this help to figure out why VPN isn't establishing?
Regards,
You Meraki is under a NAT. 🤔
I don't know if the MX is behind another firewall, but if it is, you have to validate that ports 500 and 4500 are allowed.
Is the 10.10.196.0/24 network the local network at the site where Sonicwall is?
Hi Alemabrahao,
As always, appreciate your support here.
We have confirmed that there is no firewall before MX and all ports are open.
yes, 10.10.196.0/24 is the local network at sonicwall side.
Still not been able to establish a site-to-site VPN between Meraki and Sonicwall.
I don't think It's a Meraki issue, It's behind NAT. Is It possible to configure Public IP on Meraki?
Have you tried to perform a packet capture on Meraki WAN interface?
I tested It in my home (It's behind NAT too) and worked as expected.
Are o sure that you don't have firewall blocking ports 500 and 4500?
Can you send me a simple topology to try to understand?
Hi alemabrahao,
Our sonic wall also got another VPN with forcepoint and everything is working fine.
We have checked the policy and required ports are open .
I have also checked with aggressive mode on Sonic wall and same error logs seen , provided earlier.
I believe its Meraki which is acting here bit funny.
Any place where I can check VPN related logs only.
All I can find is following on events log:
Regards,
The MX is behind a NAT, It's under a firewall or router (where MX is installed). You have to check if the ports are allowed on firewall or router.
If yes you have to check with your ISP (where MX is installed) to check there are some blocking.
Hi Alemabrahao,
Again appreciate your prompt response.
Seems you may be right as I need to find more details regarding clients connectivity which I don't have any visibility as of yet.
Also, we had another MX in different location and while checking IP config for WAN, I could see that this new site got static public IP address configured. I gave a little try to configure VPN with the same sonicwall and looks that this has either established or dropped just after VPN established:
VPN Status on Meraki:
On Sonicwall, I can see following:
I will try to do further troubleshooting tomorrow.
Thanks again for your support today.
Regards
A NO_PROPOSAL_CHOSEN message being received on your Sonicwall means the MX is rejecting the attempt in Phase 1.
You'll want to open a support case, as there's no more debugging that can be done using the logs on Dashboard unfortunately
Hi Alemabrahao and AlexP,
Thank you very much for your support on resolving this VPN issue between Meraki and Sonicwall.
I have managed to successfully establish a site-to-site VPN with second meraki as this one had public IP address statically assigned to its WAN interface.
Its IKEv2 with following config and works fine
Issue with first Meraki is we have private IP assigned to its WAN interface . This means there's extra device ( firewall/router ) between Meraki and PE as Alemabrahao confirmed earlier.
Thank you again for your support .
Regards,
Great news 😀.
Private IPs do work, you just need to specify an Identity on each side, depending on your deployment. The issue is that the SonicWall probably isn't configured expect the MX to send its private IP as its identity, or, if it's ignoring that for whatever reason, it's sending the public IP as the ID it's expecting us to use, which the MX is not expecting, and rejecting the connection.
If you had planned on deploying the MX with a static private IP, just set that as the Local ID in Dashboard, and that should make it work behind a NAT without issue I would expect (may need to make some additional changes to your SonicWall to accommodate this as well)
Hi Alex,
Is this the place where I will be setting up the private IP of Meraki:
Sorry, this is the first time working on Meraki and not quire sure how to set up site-to-site VPN on Meraki behind NAT and any other firewall ( can test with either sonicwall or forcepoint ).
Regards,
It's an optional setting.
The default behavior of the MX is to set remote_id to FQDN if it is not explicitly added in the dashboard "Non-Meraki VPN peers" settings.
This is false - those IDs are set to whatever IP address the MX is assigned, and the public IP of the peer in question respectively.
I have never needed to set the Local ID to VPN work.
Here is my config:
And as you can see It has been working well:
I'm not saying you need to set that. It is an optional value yes, but it does not default to an FQDN.
So is the documentation wrong? 😅
That documentation reflects new behavior on MX18 firmware if you want to resolve a peer via a DNS name - it will only default to that if you're putting a hostname in the remote IP field.
That would be the spot yes, and then make sure your remote peer is configured to use that same ID as well
Hi Alex and Alemabrahao,
I am back with the same question.
So VPN for Meraki which had public IP configured on its WAN interface is working fine.
However another Meraki at different location which is behind NAT, I am required to configure VPN .
Is there a way of achieving this as I have no visibility of what sits ( router or firewall ) between Meraki and PE.
Thanks
Hi @fcbob,
It should have to work behind NAT. Try define the remote ID on Meraki side with the Sonicwall IP:
https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Sonicwall_Site-to-Site_VPN_Setup
In this case, you have two options, depending on the nature of your setup:
Hi Both,
Thanks again for your quick support.
@alemabrahao, as per your comment, seems I will have to add peer IKE ID ( private IP address of Meraki ) on Sonicwall
Also, remote ID on Meraki ( public IP of sonicwall ).
@Alex, for point A: I believe I will have to add peer IKE ID ( Private IP address of Meraki ) ,
for point B: can you please outline the steps of configuring the peering on Dashboard.
Sorry, first time dealing with meraki .
Thanks
So, as per this document, I have configured on both side:
https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Sonicwall_Site-to-Site_VPN_Setup
These are the config on Meraki Side:
Kindly let me know if I am missing anywhere any config ?
Regards
Change encryption for AES, and follow these recommendations:
Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:
Made changes to following:
Pre-shared key is greater than 14
Still no joy
As per Alex comment :
Open a support case.
Make sure you are allowing all traffic from your sonicwall IP address in the upstream device that is NAting to your MX.
I had a though time deploying a Meraki vMX in Azure, since Azure gives you a NATed public IP address. The biggest issue I had was that nowhere in the deployment documentation it's mentioned that you must allow all traffic from the IP address of any none Meraki peer you want to establish a VPN connection to in the Azure Network Security Group assigned to your vMX.
Hi Alemabrahao,
Any idea how to open a support case with Meraki ?
I have dealt with Cisco in past raising TAC case however I don't have cisco account with my current company to raise TAC case with them directly.
Do I need to have an account or can I raise on behalf of customer ( again customer doesn't have cisco account ) ?
Regards,
Go on Meraki dashboard, go to help and cases.