Meraki

Community

Site to Site VPN from Meraki that replaced ASA

DBlum
Getting noticed
‎Jun 9 2020 8:04 AM
‎Jun 9 2020 8:04 AM

Site to Site VPN from Meraki that replaced ASA

We are having an issue where we had to replace an ASA5505 and before there was a site to site vpn and now with the current MX64 the connection is not working.  Here was the config from the ASA for the VPN:

 

name 1.2.3.4 Diag description Diag VPN

 

access-list outside_1_cryptomap extended permit ip host 10.0.20.45 Diag 255.255.255.248
access-list inside_nat_static extended permit ip host LocalServer Diag 255.255.255.248

static (inside,outside) 10.0.20.45 access-list inside_nat_static

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 4.5.6.7
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 1 set security-association lifetime seconds 14400
crypto map outside_map 1 set security-association lifetime kilobytes 10000
crypto map outside_map interface outside
crypto isakmp enable inside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

 

tunnel-group 4.5.6.7 type ipsec-l2l
tunnel-group 4.5.6.7 ipsec-attributes
pre-shared-key xxxxx
peer-id-validate nocheck
isakmp keepalive disable

 

 

Current Meraki Connection is set to

Public IP 4.5.6.7

Private Subnet 10.0.20.45/29

IP SEC Policy

PH1 - 3DES / SHA1 / DH2  / Timeout 14400

PH2 - 3DES / SHA1 / PFS off / Timeout 14400

 

Event log shows

 

Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1).
Non-Meraki / Client VPN negotiation msg: failed to get sainfo.
Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: Local_PublicIP[500]<=>4.5.6.7[500]
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 4.5.6.7[500]->Local_PublicIP[500] spi=178891342(0xaa9acb0)
Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1).
Non-Meraki / Client VPN negotiation msg: failed to get sainfo.
Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established Local_PublicIP[500]-4.5.6.7[500] spi:5407379688442cfd:315d9f4a0c478522
Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: Local_PublicIP[500]<=>4.5.6.7[500]
VPN registry connectivity change vpn_type: site-to-site, connectivity: true
Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1).
Non-Meraki / Client VPN negotiation msg: failed to get sainfo.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 4.5.6.7[500]->Local_PublicIP[500] spi=108337968(0x6751b30)
Non-Meraki / Client VPN negotiation msg: pfkey DELETE failed: No such process
Non-Meraki / Client VPN negotiation msg: ISAKMP-SA deleted Local_PublicIP[500]-4.5.6.7[500] spi:74f722074d7dc223:2e10212799bd830f
Non-Meraki / Client VPN negotiation msg: purged ISAKMP-SA spi=74f722074d7dc223:2e10212799bd830f.
Non-Meraki / Client VPN negotiation msg: purged IPsec-SA spi=0.
Non-Meraki / Client VPN negotiation msg: Unknown IPsec-SA spi=0, hmmmm?
Non-Meraki / Client VPN negotiation msg: purging ISAKMP-SA spi=74f722074d7dc223:2e10212799bd830f.

 

 

Any thoughts?  Thank you

0 Kudos
5 Replies 5
jdsilva
Kind of a big deal
‎Jun 9 2020 10:20 AM
‎Jun 9 2020 10:20 AM

Hey @DBlum 

 

I'd start with this KB entry:

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

 

That seems to match your error messages. 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 9 2020 12:25 PM
‎Jun 9 2020 12:25 PM

>access-list outside_1_cryptomap extended permit ip host 10.0.20.45 Diag 255.255.255.248

 

You can't but a VPN for a specific host address on an MX.  You have to build it for the whole subnet.

 

You'll need to get the VPN rebuilt.  While you are doing that change from 3DES to AES.  DES is already phased out, 3DES will be next.

0 Kudos
In response to PhilipDAth
DBlum
Getting noticed
‎Jun 9 2020 1:05 PM
‎Jun 9 2020 1:05 PM

Would you recommend just taking the NAT out of the equation (ie the provider said we can change the internal server ip to address on current subnet) to allow connectivity? Thank you

0 Kudos
In response to DBlum
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 9 2020 4:15 PM
‎Jun 9 2020 4:15 PM

It doesn't matter what they change the IP address to, you can't have a single host in the local encryption domain on an MX.  You'll need to expand it to be the whole subnet.

0 Kudos
In response to PhilipDAth
DBlum
Getting noticed
‎Jun 9 2020 4:36 PM
‎Jun 9 2020 4:36 PM

We have the whole subnet as part of the VPN...the other side ended up opening up their policy (juniper we found out) and it is communicating now.  Thank you again for your help

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.