Non Meraki VPN peer with AWS

BT1
Here to help

Non Meraki VPN peer with AWS

Hello, I created one non meraki VPN tunnel with AWS(ports allowed 500, 4500 (Both TCP and UDP)).

 

I only get the below messages in event log but dont get the phase 2 negotiation and IP sec SA established message.

1> msg: initiate new phase 1 negotiation

2> msg: ISAKMP-SA established

 

However, I find the non meraki VPN peer tunnel up in VPN status and also see the routes are listed for private subnets(for non meraki peer) in route table.

 

At client side tunnel is down only. Not sure what is the issue? why IP sec SA is not being established here.

4 REPLIES 4
PhilipDAth
Kind of a big deal
Kind of a big deal

AWS should show one tunnel up and one down (Meraki can use one at a time).  If neither is showing up then make sure you have put in the correct PSK.

 

Typically, we don't use the Amazon VPN service.  We use Strongswan on an Ubuntu box instead.  It's cheaper, more diagnostics and more configurable.

https://www.ifm.net.nz/cookbooks/meraki-vpn-to-amazon-aws.html 

No, Both tunnels are down. Phase 1,2 and PSK all are matching.

Even MX negotiates fine in phase 1 but after that nothing is initiated for phase 2.

PhilipDAth
Kind of a big deal
Kind of a big deal

Does the MX have a public IP address on its WAN interface?

Yes WAN 1 is internet link and WAN 2 is MPLS.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels