Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site with Cisco 2911 phase 2 failing

RyanMesser
Here to help
‎Apr 27 2019 1:26 AM
‎Apr 27 2019 1:26 AM

Site to Site with Cisco 2911 phase 2 failing

Hi,


Having difficulty in trying to get Meraki to complete phase 2 with a Cisco 2911 router, below is the message i get on the router as soon as I try and ping anything on the other side 

Apr 26 09:59:09.423: IPSEC(ipsec_process_proposal): peer address XXXX not found
Apr 26 09:59:09.423: ISAKMP:(7813): IPSec policy invalidated proposal with error 64
Apr 26 09:59:09.423: ISAKMP:(7813): phase 2 SA policy not acceptable! (local XXXX remote XXXXXX)
Apr 26 09:59:09.423: ISAKMP: set new node -10487433 to QM_IDLE
Router#
Apr 26 09:59:09.423: ISAKMP:(7813):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3
        spi 822512632, message ID = 4284479863
Apr 26 09:59:09.423: ISAKMP:(7813): sending packet to XXXX my_port 4500 peer_port 4500 (R) QM_IDLE
Apr 26 09:59:09.423: ISAKMP:(7813):Sending an IKE IPv4 Packet.
Apr 26 09:59:09.423: ISAKMP:(7813):purging node -10487433
Apr 26 09:59:09.423: ISAKMP:(7813):deleting node -1212514309 error TRUE reason "QM rejected"
Apr 26 09:59:09.423: ISAKMP:(7813):Node 3082452987, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
Apr 26 09:59:09.423: ISAKMP:(7813):Old State = IKE_QM_READY  New State = IKE_QM_READY


As far as I can see on both Meraki and the router phase 1 and phase 2 are identical and the ACL on the router matches the route I have on Meraki. 

 

What is strange is we have another Meraki instance (i don't have access too) that connects to the same router with the same configuration I'm told. Phase 1 has completed so it appears the two are connected but I'm unable to send traffic down the tunnel. 

 

I have raised a case but thought I'd post on here and see if anyone else had same issues or can point maybe what I'm doing wrong/what i need to check etc..



0 Kudos
Subscribe
9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2019 2:10 PM
‎Apr 27 2019 2:10 PM

The proposals are not the same because you are getting "PROPOSAL_NOT_CHOSEN".  Can you post the config for your 2911?  Just make sure you remove any keys and passwords first.

Subscribe
In response to PhilipDAth
RyanMesser
Here to help
‎Apr 27 2019 3:30 PM
‎Apr 27 2019 3:30 PM

Not sure how they aren't but lets see... 

 

Crypto map

Crypto Map IPv4 "S2SVPN" 4 ipsec-isakmp
Peer = XXXXXXX
Extended IP access list Meraki
access-list Meraki permit ip 172.21.0.0 0.0.255.255 192.168.128.0 0.0.0.255
Current peer: XXXXXXXX
Kilobyte Volume Rekey has been disabled.
Security association lifetime:28800 seconds
Responder-Only (Y/N): N
PFS (Y/N): Y
DH group: group2
Transform sets={
ESP-3DES-SHA: { esp-3des esp-sha-hmac } ,
}
Interfaces using crypto map S2SVPN:
GigabitEthernet0/0

 

#show crypto isakmp policy

 

Protection suite of priority 10
encryption algorithm: Three key triple DES
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 28800 seconds, no volume limit

 

Then on Meraki 

Capture.PNG

Let me know if any more info needed in order to troubleshoot, i have the public address in the router with a preshared key that i have entered on Meraki and that matches.

 

Thanks

0 Kudos
Subscribe
In response to RyanMesser
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2019 4:53 PM
‎Apr 27 2019 4:53 PM

First thing, on an unrelated matter, Meraki MX's have terrible 3DES throughput.  Additionally this is an old algorithym no one should be using any more.  Change to using AES.

 

That config looks correct - so that tells me there is some other config that is not correct.  Do all your MX's have a VPN to this 2911?  If not, are you using a tag so that only specific ones are building the connection?

 

Has your 2911 got any other VPN config on it, such as IPSec client VPN, or any keys configured with a wildcard address?

 

This VPN is for 172.21.0.0/16 on the 2911 side to 192.168.128.0/24 on the Meraki side.  Are you sure that only 192.168.128.0/24 is marked to be included in the VPN?

Subscribe
In response to PhilipDAth
RyanMesser
Here to help
‎Apr 27 2019 5:06 PM
‎Apr 27 2019 5:06 PM

Thanks will do, i was going off of one of the Meraki config guides but appreciate AES is better. 

 

Unfortunately there is a bit of a mixture.. I didn't configure them I'm just trying to add another VPN. There are 4 in total including this MX. 

 

S2SVPN 1 - 2911 router to this 2911 router (this is actually being replaced eventually by the S2SVPN 4)

S2SVPN 2 - I believe is an ASA to this 2911 router

S2SVPN 3 - MX Appliance to this 2911 router (working but can't see config just yet)

S2SVPN 4 - MX Appliance i'm currently setting up to this 2911 router

 

Each has a pre-shared key matching to the public IP, so crypto isakmp key <key> address <public address>. Each also has their own ACL.

 

Yes only 192.168.128.0/24 is only set to go over to this VPN. 

0 Kudos
Subscribe
In response to RyanMesser
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2019 5:11 PM
‎Apr 27 2019 5:11 PM

Does the 2911 and the MX both have a public static IP directly on their interfaces,  of its one of them behind a NATing device? 

0 Kudos
Subscribe
In response to PhilipDAth
RyanMesser
Here to help
‎Apr 27 2019 5:14 PM
‎Apr 27 2019 5:14 PM

Yes I think the 2911 has a static ip directly on the interface as you can see thats gi 0/0. 

 

In terms of the MX its behind a BT router in bridge mode, I think its WAN interface currently is DHCP should this be static?


0 Kudos
Subscribe
In response to RyanMesser
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 27 2019 5:21 PM
‎Apr 27 2019 5:21 PM

DHCP is fine as long as it is a public IP and stays the same. 

0 Kudos
Subscribe
In response to PhilipDAth
RyanMesser
Here to help
‎Apr 27 2019 6:00 PM
‎Apr 27 2019 6:00 PM

It will be going static but yes its been the same. 

 

Is there anything else i can check? I'm not sure why but it doesn't really seem to matter what changes i make i get the same message when i try and ping from meraki across to the remote side. 

 

I've also noticed when I ping from the Meraki side i get this in the Meraki logs?

Apr 28 00:51:42 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Tunnel XXXXXXX[500]->XXXXXXX[500] spi=21810707(0x14cce13)
Apr 28 00:51:42 Non-Meraki / Client VPN negotiationmsg:XXXXXX give up to get IPsec-SA due to time up to wait.
Apr 28 00:51:42 Non-Meraki / Client VPN negotiationmsg: IPsec-SA expired: ESP/Tunnel XXXXXXXX[500]->XXXXXXX[500]
Apr 28 00:51:42 Non-Meraki / Client VPN negotiationmsg: notification NO-PROPOSAL-CHOSEN received in informational exchange.
Apr 28 00:51:42 Non-Meraki / Client VPN negotiationmsg: initiate new phase 2 negotiation: XXXXXXXX[4500]<=>XXXXXXXXXX[4500]
0 Kudos
Subscribe
In response to RyanMesser
RyanMesser
Here to help
‎Apr 28 2019 2:17 AM
‎Apr 28 2019 2:17 AM

Think i've cracked it 🙂 the only thing i kept thinking could be wrong was the ACL's somewhere..

After a very long look through the ACL list on the 2911 router i noticed the top ACL which maps to another crypto map there was this 

permit ip 172.21.0.0 0.0.0.255 192.168.0.0 0.255.255.255 

 

And on my new ACL for my new crypto map i had 192.168.128.0/24, therefore there was an overlap. 

 

Which evidently meant that the packet was coming in hitting the wrong ACL and therefore hitting the wrong crypto map. Which would explain why I was getting peer address not found. 

 

I've done a ping across the tunnel from Meraki now and can see traffic both ways now.

 

Thanks for your help

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.