Meraki

Community

Non-Meraki VPN negotiation msg: FIPS mode disabled

MCMKA
New here
‎Oct 14 2022 2:39 AM
‎Oct 14 2022 2:39 AM

Non-Meraki VPN negotiation msg: FIPS mode disabled

Hello ,

 

I'm trying to  setup IPSec S2S VPN Tunnel to non-Meraki peer . The only thing which I found in Event Log is 

Non-Meraki VPN negotiationmsg: FIPS mode disabled

I tried to find solution but no success , could you advice me what I can do ?

Best regards,

Czarek

Labels:
0 Kudos
14 Replies 14
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 4:00 AM
‎Oct 14 2022 4:00 AM

Confirm that all Phase 1, Phase 2 and PSK settings are the same on both sites.

Non-Meraki VPN peers

You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

  • A name for the remote device or VPN tunnel.
  • What IKE version to use (IKEv1 or IKEv2)*
  • The public IP address of the remote device.
  • The Remote ID of the remote peer. This is an optional configuration and can be configured to the remote peer’s UserFQDN (e.g. user@domain.com), FQDN (e.g. www.example.com) or IPv4 address as needed.
    • Which of these values you use is dependent upon your remote device. Please consult its documentation to learn what values it is capable of specifying as its remote ID, and how to configure them (e.g. crypto isakmp identity for ASA firewalls
  • The subnets behind the third-party device that you wish to connect to over the VPN. 0.0.0.0/0 can also be specified to define a default route to this peer.

    • Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.

  • The IPsec policy to use.
  • The preshared secret key (PSK).
  • Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.

*IKEv2 requires firmware version 15.12 or greater

When configuring NMVPN connections between 2 MXs in different organizations that are running MX15 code and above that are not using a UserFQDN and are NATed behind an upstream device, please ensure that the remote ID field of the NMVPN peer is filled out with the private IP address of the remote NATed MX.

Non-Meraki VPN Peering with FQDN

This feature enables the use of FQDN instead of an IP address while configuring a Non-Meraki VPN peer. Using IP addresses can be tedious because with a dynamic IP address, a customer has to manually modify the Non-Meraki VPN settings on the Site-to-Site VPN page when there is an IP address change. With FQDN configuration, the hostname of the remote peer would automatically get resolved each time a connection is initiated.

“FQDN” differs from “User FQDN”. The MX resolves the FQDN to an IP address of the remote peer, whereas, “User FQDN” is used in conjunction with the IP address of the remote peer. “FQDN” identifies the remote peer and is configured in the “Public IP/Hostname” field. “User FQDN” identifies the local peer and is configured in the “Local ID” field.

Supported Products:

  • MX running firmware 18.1 or higher

  • Requires IKEv2 

Configuration 

The FQDN of the Non-Meraki VPN peer can be configured in the Public IP/Hostname field when IKEv2 is the selected IKE version.


The default behavior of the MX is to set remote_id to FQDN if it is not explicitly added in the dashboard "Non-Meraki VPN peers" settings. Please note, the remote id on one peer needs to match the local id on the other peer for the tunnel to be established. 
 

If the configured FQDN fails to resolve, an event will be reported in Network-wide > Eventlog on Dashboard

NOTE For IKEv2

Meraki Appliances build IPsec tunnels by sending out a request with a single traffic selector that contains all of the expected local and remote subnets. Certain vendors may not support allowing more than one local and remote selector in a given IPsec tunnel (e.g. ASA 5500-X series firewalls running certain firmware releases); for such cases, please use IKEv1 instead. 

An MX-Z device will not try to form a VPN tunnel to a non-Meraki peer if it does not have any local networks advertised.

IPsec policies

There are three preset IPsec policies available.

  • Default: Uses the Meraki default IPsec settings for connection to a non-Meraki device
  • AWS: Uses default settings for connecting to an Amazon VPC
  • Azure: Uses default settings for connecting to a Microsoft Azure instance

If none of these presets are appropriate, the Custom option allows you to manually configure the IPsec policy parameters. These parameters are divided into Phase 1 and Phase 2.

Phase 1

  • Encryption: Select between AES-128, AES-192, AES-256, and 3DES encryption
  • Authentication: Select MD5, SHA1 or SHA256* authentication
  • Diffie-Hellman group: Select between Diffie-Hellman (DH) groups 1, 2, 5 or 14*
  • Lifetime (seconds): Enter the phase 1 lifetime in seconds

 * These settings require firmware version 15.12 or greater

Phase 2

  • Encryption: Select between AES-128, AES-192, AES-256, and 3DES encryption (multiple options can be selected)
  • Authentication: Select between MD5 and SHA1 authentication (both options can be selected)
  • PFS group: Select the Off option to disable Perfect Forward Secrecy (PFS). Select group 1, 2, or 5 to enable PFS using that Diffie Hellman group.
  • Lifetime (seconds): Enter the phase 2 lifetime in seconds

On May 8th 2018, changes were introduced to deprecate DES for encryption. Click here for more information. 

NOTE: Please ensure the phase 2 lifetimes are equal on both ends of the tunnel whenever possible. While MX's can sometimes honor a shorter phase 2 lifetime if they're acting in response to build a tunnel, they cannot while serving as the initiator of the tunnel. 

Peer availability

By default, a non-Meraki peer configuration applies to all MX-Z appliances in your Dashboard Organization. Since it is not always desirable for every appliance you control to form tunnels to a particular non-Meraki peer, the Availability column allows you to control which appliances within your Organization will connect to each peer. This control is based on network tags, which are labels you can apply to your Dashboard networks.

When "All networks" is selected for a peer, all MX-Z appliances in the organization will connect to that peer. When a specific network tag or set of tags is selected, only networks that have one or more of the specified tags will connect to that peer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
MCMKA
New here
‎Oct 14 2022 11:41 AM
‎Oct 14 2022 11:41 AM

Thank you for quick response . I did that already but it looks that somehow it not send any "request" for connection .In logs there is no any other vpn related entries only this "msg: FIPS mode disabled" , no any Phase 1 and Phase 2.. Can 't see also any trials on remote peer.

0 Kudos
In response to MCMKA
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 11:47 AM
‎Oct 14 2022 11:47 AM

Do you have access on remote peer? Try to generate some traffic (ICMP for exemple).

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 11:51 AM
‎Oct 14 2022 11:51 AM

By the way, is your link dedicated? Is your ISP using CG-NAT?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
MCMKA
New here
‎Oct 14 2022 11:56 AM
‎Oct 14 2022 11:56 AM

Not sure. I haven't public ip address on Meraki but 192.168... something and for sure there is NAT on ISP router . I did another trial with Opnsense in same infrastructure and I was able to setup this tunnel

0 Kudos
In response to MCMKA
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 12:05 PM
‎Oct 14 2022 12:05 PM

Well, I have never configure Non-Meraki VPN peers with MX behind a NAT, so I'm not sure if It will work.
Maybe you should have to open a case with Meraki.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 12:14 PM
‎Oct 14 2022 12:14 PM

I will perform a Lab.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 12:51 PM
‎Oct 14 2022 12:51 PM

I just test It, and I have some considerations:

In beginning I had same issue (My MX is behind a NAT too), so I did a search about FIPS and I found IT:

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Device_to_Cloud_Connectivity_-_FIPS 

 

alemabrahao_0-1665776316064.png

 

Then I changed my IPsec policies configurations like this:

 

alemabrahao_1-1665776590252.png

 

And guess you ? It worked. I don't like to use 3DES and MD5, but .... OK 😐

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 14 2022 1:05 PM
‎Oct 14 2022 1:05 PM

Good news, I tested again changing my IPsec policies and my password  greater than 14 characters and worked

 

alemabrahao_0-1665777812468.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
‎Oct 18 2022 11:00 AM
‎Oct 18 2022 11:00 AM

Hi @MCMKA

 

Was this resolved?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Jokerrj
Just browsing
‎Dec 5 2022 1:10 PM
‎Dec 5 2022 1:10 PM

I would also like if this was resolved. I have an issue with similar symptoms 

0 Kudos
JohnDH
Comes here often
‎Jan 7 2023 7:33 AM
‎Jan 7 2023 7:33 AM

Hi,

I was struggling with the same.
My MX was connected to a LAN port sitting behind my ISP router.
My colleague shared a setting that resolved this issue for my setup.
On my home ISP router, i needed to configure port forwarding towards the internal IP that my MX was using.
500UDP and 4500UDP

 

 

And these were the IKEv2 settings on the portal

JohnDH_0-1673105547338.png

 

 

0 Kudos
LAC
Just browsing
‎Feb 28 2023 10:17 AM
‎Feb 28 2023 10:17 AM

I'm facing the same issues, and my MX is not behid a NAT/modem-route it get a public ip, the remote peer is a hostname (i've tested with other vendor and the tunnel goes up). I've also opened a ticket but no answer! 

0 Kudos
FabrizioF
Here to help
‎Jul 18 2023 5:47 AM
‎Jul 18 2023 5:47 AM

About the message "msg: FIPS mode disabled" I understand that to solve it you have to try all the possible configurations for Phase1 and Phase2

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.