Meraki

Community

Organization to Organization VPN

MattSc
Conversationalist
‎Aug 31 2020 4:15 AM
‎Aug 31 2020 4:15 AM

Organization to Organization VPN

I'm at a complete loss as to what would cause this issue i'm experiencing (i'll try explain this as best I can as its hard to explain)..

I have two Organizations

Organization 1 has Network 1
 
Organization 2 has Networks 1, 2, and 3



I can establish a VPN Tunnel from Organization 1 Network 1 to Organization 2 Network 1 and 2

network 1 2.PNG

I can establish a VPN Tunnel from Organization 1 Network 1 to Organization 2 Network 3

network 3.PNG

I cannot establish a VPN Tunnel from Organization 1 Network 1 to Organization 2 Network 1, 2 and 3


Working from Organization 1

If I have a working tunnel with to Organization 2 Network 1 and 2 then try to add Organization 2 Network 3, the logs for show

msg: phase2 negotiation failed due to time up waiting for phase1. ESP 144.130.xxx.xxx[0]->10.1.1.2[0]
msg: phase1 negotiation failed due to time up. 8d8627ebd6d071a1:e3cc535a1caf1006
msg: request for establishing IPsec-SA was queued due to no phase1 found.
msg: initiate new phase 1 negotiation: 10.1.1.2[500]<=>144.130.xxx.xxx[500]

If I have a working tunnel with to Organization 2 Network 3 then try to add Organization 2 Network 1 and / or 2 the logs show 

msg: phase1 negotiation failed due to time up. c4437031800f8ab7:0000000000000000
msg: phase1 negotiation failed due to time up. b679565d253b7ff5:0000000000000000
msg: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
msg: request for establishing IPsec-SA was queued due to no phase1 found.
msg: request for establishing IPsec-SA was queued due to no phase1 found.
msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->58.171.xxx.xxx[500]
msg: phase2 negotiation failed due to time up waiting for phase1. ESP 149.135.xx.xxx[0]->144.130.xxx.xxx[0]
msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->149.135.xx.xxx[500]
msg: initiate new phase 1 negotiation: 144.130.xxx.xxx[500]<=>58.171.xxx.xxx[500]
msg: IPsec-SA request for 58.171.xxx.xxx queued due to no phase1 found.
msg: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange.
msg: initiate new phase 1 negotiation: 144.130.xxx.xxx[500]<=>149.135.xx.xxx[500]
msg: IPsec-SA request for 149.135.xx.xxx queued due to no phase1 found.
msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->58.171.xxx.xxx[500]
msg: phase2 negotiation failed due to time up waiting for phase1. ESP 149.135.xx.xxx[0]->144.130.xxx.xxx[0]
msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->149.135.xx.xxx[500]

To the best of my knowledge the error logs suggest that either there is a mismatch with the IPSec Policies or that the sites flat out can't talk to each other, if either of those where the case I should not be able to establish a connection at all. Does anyone have any thoughts on what could cause this, i'm completely out of ideas at this point and have been battling with this for the last two days now.

0 Kudos
1 Reply 1
MattSc
Conversationalist
‎Aug 31 2020 5:41 AM
‎Aug 31 2020 5:41 AM

So after writing all that out and actually reading it out I realized the only difference between the three networks was that one network was set to "NAT Traversal - Manual: Port Forward" and the other two were "NAT Traversal - Automatic"

I had to use "NAT Traversal - Manual: Port Forward" on one of the sites (no choice) but as soon as I set all three networks to the same even though it has never been needed on the other two networks, all three networks came up together.


My question now... is there some sort of organizational setting on the NAT Traversal that requires ALL networks within an organization to be one or the other to work correctly with Non-Meraki VPN Peers?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.