cancel
Showing results for 
Search instead for 
Did you mean: 

non-Meraki VPN (on a Friday)

SOLVED
Conversationalist

non-Meraki VPN (on a Friday)

Yes, I am aware that it was a bad time, but I didn't schedule it.

 

My VPN to the other device isn't coming up.  Looks to be stuck at phase I:

 

Non-Meraki / Client VPN negotiation msg: IPsec-SA request for [public IP addr] queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 10.200.40.180[500]->[public IP addr][500]
Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up.
Non-Meraki / Client VPN negotiation msg: request for establishing IPsec-SA was queued due to no phase1 found.
Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel 10.200.40.180[500]->[public IP addr][500]
Non-Meraki / Client VPN negotiation msg: ignore information because ISAKMP-SA has not been established yet.
Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 10.200.40.180[500]<=>[public IP
Non-Meraki / Client VPN negotiation msg: IPsec-SA request for [public IP addr] queued due to no phase1 found.

 

From the capture, it looked like a phase II message was coming in before phase I had been completed (leading to the ignore above?).  Anyway, that's as far as it gets.

 

Thoughts?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: non-Meraki VPN (on a Friday)

You have find the remote end needs to have your private IP address configured as it's peer identity (which is different from the peer IP address).

3 REPLIES 3
Kind of a big deal

Re: non-Meraki VPN (on a Friday)

I can see 10.200.40.180 is sitting behind another device doing NAT.  Make sure that the device is NATing through udp/500 and udp/4500 through to the IP address on the MX.

Conversationalist

Re: non-Meraki VPN (on a Friday)

Thanks PDA.

 

Here's the capture decode I was talking about earlier:

 

IP 10.200.40.180.500 > [public IP addr].500: isakmp: phase 1 I ident
IP [public IP addr].500 > 10.200.40.180.500: isakmp: phase 1 R ident
IP 10.200.40.180.500 > [public IP addr].500: isakmp: phase 1 I ident
IP [public IP addr].500 > 10.200.40.180.500: isakmp: phase 1 R ident
IP 10.200.40.180.4500 > [public IP addr].4500: NONESP-encap: isakmp: phase 1 I ident[E]
IP [public IP addr].4500 > 10.200.40.180.4500: NONESP-encap: isakmp: phase 2/others R inf[E]

 

The fact that I get responses back on both port 500 and 4500 indicates to me that NAT is working.

 

 

Highlighted
Kind of a big deal

Re: non-Meraki VPN (on a Friday)

You have find the remote end needs to have your private IP address configured as it's peer identity (which is different from the peer IP address).

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.