Firstly, I am a real newbie, and got assigned to swap our router from Yamaha RTX to Meraki MX68 and then connect the Meraki to another Yamaha RTX router in our separate office.
So please bear with me if the question is actually easy and sound ridiculous.
I have referred to Meraki document and set the Non Meraki peers as below.
Current ipsec setup in our Yamaha RTX
-----
tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike hash 1 sha
ipsec ike keepalive use 1 on
ipsec ike local address 1 172.31.8.254
ipsec ike local name 1 SB*
ipsec ike pre-shared-key 1 text [A-removed]
ipsec ike remote address 1 [B-removed]
ip tunnel tcp mss limit auto
tunnel enable 1
-----
so referring above details from current Yamaha router, I input in the Non-Meraki VPN part as below
Public IP - [B-removed]
Remove ID - [B-Removed]
Private subnet - 172.31.2.0/24 (the other end private subnet)
IPSec-Policies - Default
Preshared secret - [A-removed]
Local network subnet is set to 172.31.8.0/24 VPN participation ON.
But I keep getting below error repetitively, no matter what IPsec Policies change to.
msg: initiate new phase 1 negotiation: A.B.C.D[500]<=>A.B.C.D[500]
msg: phase1 negotiation failed due to time up.
I have checked and confirmed the other end Router pre-shared key is correct with my input, and the remote address was set to any, which to my understanding any public IP with correct shared key and IPSec policies should be able to establish VPN tunnel.
Is my understanding correct?
Is there something I'm missing here or did not understand something.
Solved! Go to solution.
Disclaimer, I have no experience with the Yamaha devices so all of the below may not work at all.
I think however that you'll have most luck if you explicitly configure the hashing, encryption and lifetime values of both phases in the Yamaha router.
Something like this:
tunnel select 1
description tunnel MERAKI-TUNNEL
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 1 28800
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on dpd 5 4
ipsec ike local address 1 172.31.8.254
ipsec ike local id 1 172.31.8.0/24
ipsec ike nat-traversal 1 on
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text [A-removed]
ipsec ike remote address 1 [B-removed]
ipsec ike remote id 1 172.31.2.0/24
ip tunnel tcp mss limit auto
tunnel enable 1
With on the Meraki end this:
I hope this will work.
Disclaimer, I have no experience with the Yamaha devices so all of the below may not work at all.
I think however that you'll have most luck if you explicitly configure the hashing, encryption and lifetime values of both phases in the Yamaha router.
Something like this:
tunnel select 1
description tunnel MERAKI-TUNNEL
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 1 28800
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike keepalive log 1 off
ipsec ike keepalive use 1 on dpd 5 4
ipsec ike local address 1 172.31.8.254
ipsec ike local id 1 172.31.8.0/24
ipsec ike nat-traversal 1 on
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text [A-removed]
ipsec ike remote address 1 [B-removed]
ipsec ike remote id 1 172.31.2.0/24
ip tunnel tcp mss limit auto
tunnel enable 1
With on the Meraki end this:
I hope this will work.
Thank you @BrechtSchamp
Will definitely give it a try. Just moved to Japan recently, and the company use Yamaha RTX pretty much in all their offices. And now they want to move to Meraki and Cisco gradually.
I will update on the outcome once tried (tho might to take a while).
I have tried with below config but still with timed up error.
> phase1 negotiation failed due to time up.
I have added below config on the Yamaha router on the other office that my Meraki want to connect to.
ip route 172.31.23.0/24 gateway tunnel 23
tunnel select 23
description tunnel MERAKI-TUNNEL
ipsec tunnel 123
ipsec sa policy 123 23 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 23 28800
ipsec ike duration isakmp-sa 23 28800
ipsec ike encryption 23 aes-cbc
ipsec ike group 23 modp1024
ipsec ike hash 23 sha
ipsec ike keepalive log 23 off
ipsec ike keepalive use 23 on dpd 5 4
ipsec ike local address 23 172.31.2.254
ipsec ike local id 23 172.31.2.0/24
ipsec ike nat-traversal 23 on
ipsec ike pfs 23 on
ipsec ike pre-shared-key 23 text [A-Removed]
ipsec ike remote address 23 any
ipsec ike remote id 23 172.31.23.0/24
ip tunnel tcp mss limit auto
tunnel enable 23
My Meraki is as below.
VLAN 10
172.31.23.0/24 (172.31.23.254)
Am I doing something wrong here? Anything need to add?
Hmm I think we should go back a step.
That time up error. Is that in the RTX logs or the MX logs?
Thank you BrechtSchamp
It is on Meraki event log.
I haven't check (or know how to check) on Yamaha end.
To troubleshoot VPN you always need to check both ends. Because the way it is now, the MX is trying to establish a VPN connection to the Yamaha and it receives no response. The next step is to look in the Yamaha logs to see if that attempt is indeed coming in and what it's doing in response.
Ok will check on Yamaha end and update.
Thanks a lot.
Finally!! My Non-Meraki VPN to Yamaha status changed green!!
Tested ping to the server on Yamaha end, and it was successful.
I re-read again about non-Meraki VPN setup and realize, there's mention that Meraki only work in main mode, not aggressive mode, so I go back to Yamaha, go through it reference file and change a bit on Yamaha's configuration.
And seems to be working fine now.
But occasionally I can see it shows " phase1 negotiation failed due to time up."
But ping test on Meraki to Yamaha gateway and server behind it seems to go through just fine. Is this normal?
Good to hear! What changes did you have to make to the config (in case anyone else comes around with the same issue).
Regarding the error that still pops up. I'm not sure. I think it may be caused by both ends trying to initiate the tunnel and only one succeeding. You'll have to evaluate the stability of the tunnel.
I guess, since Meraki only work in Main Mode, I need to set the Yamaha in Main Mode as well. For that I will need to explicitly stated Meraki public IP in Yamaha router config ;
ipsec ike remote address gateway_id Meraki_public_IP
Initially I input Any at the Meraki_public_IP on Yamaha, which put Yamaha on aggressive mode and I am guessing because of that they can't establish any connection hence failing at phase 1 due to time up.
I am not sure if above explanation correct or not, but once change that, it seems to make it work fine and my tunnel has been up until now.