You don't need to enable FIPS, but you have to configure the IPsec policies password greater than 14 characters, Authentication cannot be MD5, Diffie-Hellman Group must be 14, Phase 2 encryption cannot be NULL and PFS can be configured to be either off or 14.

Set the configuration as recommended on both sides and It will work as expected.

Use IKEv1 and configure it like this:

Configure the shared secret (password greater than 14 characters) with no special characters at the beginning or end.

The IKE Initiator: Remote Party timeout log shows several timeout messages and IKE negotiation aborted due to timeout after a short delay, indicates that there is a communication problem or the Initiator and Responder are unable to complete the Phase 1 negotiations.

If you receive an IKE Initiator: No response--remote party timeout error,Checking the logs on the Responder SonicWall will clearly display the exact problem, ensure that the Proposals are identical on both the VPN policies.

If no log messages are available for the Initiator VPN device, then follow these steps:

Ensure that the Enable VPN option is checked under Manage | VPN | Base Settings| VPN Global Settings and the appropriate VPN policy is enabled.
Network connectivity between units.

TIP: You may try to connect via GVC software if GroupVPN is configured on the SonicWall.
IPSec Gateway address in Initiator SA specifies WAN address of IKE Responder.
If you are using FQDN in the IPSec Gateway Name or Address field, ensure that FQDN resolves to WAN address of IKE Responder.
IKE access rules enabled.
No other firewalls in the path are blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
Contact ISP to see if they're blocking IKE (UDP 500, 4500) or IPSec Protocol 50 and 51.
If using SonicOS Standard with Aggressive Mode VPN, make sure the remote end’s firewall name is specified on the host firewall’s VPN policy.
If the VPN Tunnel is being established with a 3rd Party VPN device, then make sure that NAT – T is disabled (in case there is no NAT device in front of the SonicWall) .
Check the Local and Peer IKE IDs in the VPN policy if you have setup the Site to Site VPN Policy between the SonicOS Enhanced and Standard firewall.
Click Advanced tab of the VPN Policy, set VPN to bind to Zone WAN.

You Meraki is under a NAT. 🤔

I don't know if the MX is behind another firewall, but if it is, you have to validate that ports 500 and 4500 are allowed.

Is the 10.10.196.0/24 network the local network at the site where Sonicwall is?

I don't think It's a Meraki issue, It's behind NAT. Is It possible to configure Public IP on Meraki?

Have you tried to perform a packet capture on Meraki WAN interface?

I tested It in my home (It's behind NAT too) and worked as expected.

Are o sure that you don't have firewall blocking ports 500 and 4500?

Can you send me a simple topology to try to understand?

A NO_PROPOSAL_CHOSEN message being received on your Sonicwall means the MX is rejecting the attempt in Phase 1.

You'll want to open a support case, as there's no more debugging that can be done using the logs on Dashboard unfortunately

Great news 😀.

Private IPs do work, you just need to specify an Identity on each side, depending on your deployment. The issue is that the SonicWall probably isn't configured expect the MX to send its private IP as its identity, or, if it's ignoring that for whatever reason, it's sending the public IP as the ID it's expecting us to use, which the MX is not expecting, and rejecting the connection.

If you had planned on deploying the MX with a static private IP, just set that as the Local ID in Dashboard, and that should make it work behind a NAT without issue I would expect (may need to make some additional changes to your SonicWall to accommodate this as well)

It's an optional setting.

The default behavior of the MX is to set remote_id to FQDN if it is not explicitly added in the dashboard "Non-Meraki VPN peers" settings. 

This is false - those IDs are set to whatever IP address the MX is assigned, and the public IP of the peer in question respectively.

I have never needed to set the Local ID to VPN work.

Here is my config:

 And as you can see It has been working well:

I'm not saying you need to set that. It is an optional value yes, but it does not default to an FQDN.

So is the documentation wrong? 😅

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peerin...

That documentation reflects new behavior on MX18 firmware if you want to resolve a peer via a DNS name - it will only default to that if you're putting a hostname in the remote IP field.

That would be the spot yes, and then make sure your remote peer is configured to use that same ID as well

Hi @fcbob,

It should have to work behind NAT. Try define the remote ID on Meraki side with the Sonicwall IP:

• The Remote ID of the remote peer. This is an optional configuration and can be configured to the remote peer’s UserFQDN (e.g. user@domain.com), FQDN (e.g. www.example.com) or IPv4 address as needed.
  • Which of these values you use is dependent upon your remote device. Please consult its documentation to learn what values it is capable of specifying as its remote ID, and how to configure them (e.g. crypto isakmp identity for ASA firewalls

https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Sonicwall_Site-to-Site_VPN_Setup

In this case, you have two options, depending on the nature of your setup:

1. Configure the non-Meraki device to expect the private IP address of your primary uplink on the MX as the presented ID
2. Configure the peering on Dashboard so that the LocalID of the MX is whatever public IP its traffic is getting NAT'd to

Change encryption for AES, and follow these recommendations:

• Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:

   

   

  • Preshared secret must be greater than 14 characters 
  • Authentication cannot be MD5 
  • Diffie-Hellman Group must be 14 
  • Phase 2 encryption cannot be NULL 
  • PFS can be configured to be either off or 14 

Open a support case.

Make sure you are allowing all traffic from your sonicwall IP address in the upstream device that is NAting to your MX.

I had a though time deploying a Meraki vMX in Azure, since Azure gives you a NATed public IP address.  The biggest issue I had was that nowhere in the deployment documentation it's mentioned that you must allow all traffic from the IP address of any none Meraki peer you want to establish a VPN connection to in the Azure Network Security Group assigned to your vMX.

Go on Meraki dashboard, go to help and cases.