Meraki Community

Tarmahmood1 · ‎Jan 5 2024

Hello,

we are trying to setup the tunnel between ISR and vMX but it is not even passing the phase1. anyone here who has done it.

here is our config done at ISR side:

crypto isakmp policy 10
encr aes256
hash sha256
authentication pre-share
group 14

**************************
Preshared key

crypto isakmp key secret_key address vMX_public IP

***********************

Apply crypto map to the public interface

//////////////////////////////////////////////////////

ip access-list extended Azure-meraki-tarffic
permit ip 172.17.76.0 0.0.0.255 10.249.1.0 0.0.0.255

////////////////////////////

(ISAKMP Phase 2 Policy)

crypto ipsec transform-set vMX-Azure esp-aes 256 esp-sha256-hmac

/////////////////////////

Crypto Map
***************************

crypto map CMAP 10 ipsec-isakmp
set peer vMX_public IP
set transform-set vMX-Azure
match address Azure-meraki-tarffic

///////////////////////////////

interface GigabitEthernet0/0/0
crypto map CMAP

Tarmahmood1 · ‎Jan 24 2024

@KarstenI Issue was with the script where local-address was missing and mode tunnel and exempt subnet in NAT-acl

KarstenI · ‎Jan 5 2024

What does "debug crypto isakmp" on the ISR give you and is anything in the vMX event log? Have you confirmed you have IP connectivity?

Tarmahmood1 · ‎Jan 5 2024

debug crypto isakmp doesnt show any thing and also no event log in vMX. I have pinged vMX public IP from router and it is pingable.

here is what i get on on router #sh logging

Jan 4 09:18:49.200: ISAKMP-ERROR: (0):No peer struct to get peer description

Jan 4 09:18:59.234: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:18:59.234: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588

Jan 4 09:18:59.234: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:18:59.234: ISAKMP-ERROR: (0):No peer struct to get peer description

Jan 4 09:18:59.235: ISAKMP-ERROR: (0):No peer struct to get peer description

Jan 4 09:20:59.012: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:20:59.013: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:20:59.013: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588

Jan 4 09:20:59.013: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:20:59.013: ISAKMP-ERROR: (0):No peer struct to get peer description

Jan 4 09:21:07.979: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:21:07.979: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588

Jan 4 09:21:07.979: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:21:07.979: ISAKMP-ERROR: (0):No peer struct to get peer description

Jan 4 09:22:06.221: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:22:06.222: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

Jan 4 09:22:06.222: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: Flow ID : 0x24000063, Flow Stats Ptr 0x7F57E4892588

Jan 4 09:22:06.222: IPSEC:(SESSION ID = 1) (sibling_update_flow_stats) IPSEC: MIB Stats Ptr 0x7F57E0A62320

KarstenI · ‎Jan 5 2024

172.17.76.0/24 is the network behind the router and 10.249.1.0/24 is the Azure network? If not, your ACL Azure-meraki-tarffic needs to be reversed.

Tarmahmood1 · ‎Jan 24 2024

@KarstenI Issue was with the script where local-address was missing and mode tunnel and exempt subnet in NAT-acl

Site to site tunnel between ISR4000 and vMX