Yes, I am aware that it was a bad time, but I didn't schedule it.
My VPN to the other device isn't coming up. Looks to be stuck at phase I:
Non-Meraki / Client VPN negotiation msg: IPsec-SA request for [public IP addr] queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 10.200.40.180[500]->[public IP addr][500]
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up.
Non-Meraki / Client VPN negotiation msg: request for establishing IPsec-SA was queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 10.200.40.180[500]->[public IP addr][500]
Non-Meraki / Client VPN negotiation msg: ignore information because ISAKMP-SA has not been established yet.
Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 10.200.40.180[500]<=>[public IP
Non-Meraki / Client VPN negotiation msg: IPsec-SA request for [public IP addr] queued due to no phase1 found.
From the capture, it looked like a phase II message was coming in before phase I had been completed (leading to the ignore above?). Anyway, that's as far as it gets.
Thoughts?
Solved! Go to solution.
You have find the remote end needs to have your private IP address configured as it's peer identity (which is different from the peer IP address).
I can see 10.200.40.180 is sitting behind another device doing NAT. Make sure that the device is NATing through udp/500 and udp/4500 through to the IP address on the MX.
Thanks PDA.
Here's the capture decode I was talking about earlier:
IP 10.200.40.180.500 > [public IP addr].500: isakmp: phase 1 I ident
IP [public IP addr].500 > 10.200.40.180.500: isakmp: phase 1 R ident
IP 10.200.40.180.500 > [public IP addr].500: isakmp: phase 1 I ident
IP [public IP addr].500 > 10.200.40.180.500: isakmp: phase 1 R ident
IP 10.200.40.180.4500 > [public IP addr].4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP [public IP addr].4500 > 10.200.40.180.4500: NONESP-encap: isakmp: phase 2/others R inf[E]
The fact that I get responses back on both port 500 and 4500 indicates to me that NAT is working.
Hello,
I have the same problem. How you could solved it?
You have find the remote end needs to have your private IP address configured as it's peer identity (which is different from the peer IP address).