Meraki

JanS · ‎Dec 3 2019

Firstly, I am a real newbie, and got assigned to swap our router from Yamaha RTX to Meraki MX68 and then connect the Meraki to another Yamaha RTX router in our separate office.

So please bear with me if the question is actually easy and sound ridiculous.

I have referred to Meraki document and set the Non Meraki peers as below.

Current ipsec setup in our Yamaha RTX

-----

tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike hash 1 sha
ipsec ike keepalive use 1 on
ipsec ike local address 1 172.31.8.254
ipsec ike local name 1 SB*
ipsec ike pre-shared-key 1 text [A-removed]
ipsec ike remote address 1 [B-removed]
ip tunnel tcp mss limit auto
tunnel enable 1

-----

so referring above details from current Yamaha router, I input in the Non-Meraki VPN part as below

Public IP - [B-removed]

Remove ID - [B-Removed]

Private subnet - 172.31.2.0/24 (the other end private subnet)

IPSec-Policies - Default

Preshared secret - [A-removed]

Local network subnet is set to 172.31.8.0/24 VPN participation ON.

But I keep getting below error repetitively, no matter what IPsec Policies change to.

msg: initiate new phase 1 negotiation: A.B.C.D[500]<=>A.B.C.D[500]
msg: phase1 negotiation failed due to time up.

I have checked and confirmed the other end Router pre-shared key is correct with my input, and the remote address was set to any, which to my understanding any public IP with correct shared key and IPSec policies should be able to establish VPN tunnel.

Is my understanding correct?

Is there something I'm missing here or did not understand something.

BrechtSchamp · ‎Dec 4 2019

Disclaimer, I have no experience with the Yamaha devices so all of the below may not work at all.

I think however that you'll have most luck if you explicitly configure the hashing, encryption and lifetime values of both phases in the Yamaha router.

Something like this:

tunnel select 1
description tunnel MERAKI-TUNNEL 
ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike duration ipsec-sa 1 28800
  ipsec ike duration isakmp-sa 1 28800
  ipsec ike encryption 1 aes-cbc
  ipsec ike group 1 modp1024
  ipsec ike hash 1 sha
  ipsec ike keepalive log 1 off
  ipsec ike keepalive use 1 on dpd 5 4
  ipsec ike local address 1 172.31.8.254
  ipsec ike local id 1 172.31.8.0/24
  ipsec ike nat-traversal 1 on
  ipsec ike pfs 1 on
  ipsec ike pre-shared-key 1 text [A-removed]
  ipsec ike remote address 1 [B-removed]
  ipsec ike remote id 1 172.31.2.0/24
ip tunnel tcp mss limit auto
tunnel enable 1

With on the Meraki end this:

I hope this will work.

View solution in original post

BrechtSchamp · ‎Dec 4 2019

Disclaimer, I have no experience with the Yamaha devices so all of the below may not work at all.

I think however that you'll have most luck if you explicitly configure the hashing, encryption and lifetime values of both phases in the Yamaha router.

Something like this:

tunnel select 1
description tunnel MERAKI-TUNNEL 
ipsec tunnel 101
  ipsec sa policy 101 1 esp aes-cbc sha-hmac
  ipsec ike duration ipsec-sa 1 28800
  ipsec ike duration isakmp-sa 1 28800
  ipsec ike encryption 1 aes-cbc
  ipsec ike group 1 modp1024
  ipsec ike hash 1 sha
  ipsec ike keepalive log 1 off
  ipsec ike keepalive use 1 on dpd 5 4
  ipsec ike local address 1 172.31.8.254
  ipsec ike local id 1 172.31.8.0/24
  ipsec ike nat-traversal 1 on
  ipsec ike pfs 1 on
  ipsec ike pre-shared-key 1 text [A-removed]
  ipsec ike remote address 1 [B-removed]
  ipsec ike remote id 1 172.31.2.0/24
ip tunnel tcp mss limit auto
tunnel enable 1

With on the Meraki end this:

I hope this will work.

NolanHerring · ‎Dec 4 2019

I won't like, I legit had no clue Yamaha makes networking gear lol

https://www.yamaha.com/products/en/network/

Nolan Herring | nolanwifi.com

SoCalRacer · ‎Dec 4 2019

And motorcycles, lol

JanS · ‎Dec 5 2019

Thank you @BrechtSchamp

Will definitely give it a try. Just moved to Japan recently, and the company use Yamaha RTX pretty much in all their offices. And now they want to move to Meraki and Cisco gradually.

I will update on the outcome once tried (tho might to take a while).

JanS · ‎Dec 9 2019

Hi @BrechtSchamp

I have tried with below config but still with timed up error.

> phase1 negotiation failed due to time up.

I have added below config on the Yamaha router on the other office that my Meraki want to connect to.

ip route 172.31.23.0/24 gateway tunnel 23
tunnel select 23
description tunnel MERAKI-TUNNEL
ipsec tunnel 123
ipsec sa policy 123 23 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 23 28800
ipsec ike duration isakmp-sa 23 28800
ipsec ike encryption 23 aes-cbc
ipsec ike group 23 modp1024
ipsec ike hash 23 sha
ipsec ike keepalive log 23 off
ipsec ike keepalive use 23 on dpd 5 4
ipsec ike local address 23 172.31.2.254
ipsec ike local id 23 172.31.2.0/24
ipsec ike nat-traversal 23 on
ipsec ike pfs 23 on
ipsec ike pre-shared-key 23 text [A-Removed]
ipsec ike remote address 23 any
ipsec ike remote id 23 172.31.23.0/24
ip tunnel tcp mss limit auto
tunnel enable 23

My Meraki is as below.

VLAN 10

172.31.23.0/24 (172.31.23.254)

Public IP : [B-Removed]

Remote ID : [B-Removed]

Private subnets : 172.31.2.0/24

PSK : [A-Removed]

Phase 1

AES128

SHA1

2

28800

Phase2

AES128

SHA1

PFS group 1

28800

Am I doing something wrong here? Anything need to add?

BrechtSchamp · ‎Dec 9 2019

Hmm I think we should go back a step.

That time up error. Is that in the RTX logs or the MX logs?

JanS · ‎Dec 9 2019

Thank you BrechtSchamp

It is on Meraki event log.

I haven't check (or know how to check) on Yamaha end.

BrechtSchamp · ‎Dec 9 2019

To troubleshoot VPN you always need to check both ends. Because the way it is now, the MX is trying to establish a VPN connection to the Yamaha and it receives no response. The next step is to look in the Yamaha logs to see if that attempt is indeed coming in and what it's doing in response.

JanS · ‎Dec 9 2019

Ok will check on Yamaha end and update.

Thanks a lot.

JanS · ‎Dec 9 2019

@BrechtSchamp

Finally!! My Non-Meraki VPN to Yamaha status changed green!!

Tested ping to the server on Yamaha end, and it was successful.

I re-read again about non-Meraki VPN setup and realize, there's mention that Meraki only work in main mode, not aggressive mode, so I go back to Yamaha, go through it reference file and change a bit on Yamaha's configuration.

And seems to be working fine now.

But occasionally I can see it shows " phase1 negotiation failed due to time up."

But ping test on Meraki to Yamaha gateway and server behind it seems to go through just fine. Is this normal?

BrechtSchamp · ‎Dec 9 2019

Good to hear! What changes did you have to make to the config (in case anyone else comes around with the same issue).

Regarding the error that still pops up. I'm not sure. I think it may be caused by both ends trying to initiate the tunnel and only one succeeding. You'll have to evaluate the stability of the tunnel.

JanS · ‎Dec 10 2019

I guess, since Meraki only work in Main Mode, I need to set the Yamaha in Main Mode as well. For that I will need to explicitly stated Meraki public IP in Yamaha router config ;

ipsec ike remote address gateway_id Meraki_public_IP

Initially I input Any at the Meraki_public_IP on Yamaha, which put Yamaha on aggressive mode and I am guessing because of that they can't establish any connection hence failing at phase 1 due to time up.

I am not sure if above explanation correct or not, but once change that, it seems to make it work fine and my tunnel has been up until now.

Meraki

Community

Non-Meraki VPN with Yamaha RTX router

Non-Meraki VPN with Yamaha RTX router