Community Record
6
Posts
2
Kudos
0
Solutions
Badges
Apr 28 2019
2:17 AM
2 Kudos
Think i've cracked it 🙂 the only thing i kept thinking could be wrong was the ACL's somewhere.. After a very long look through the ACL list on the 2911 router i noticed the top ACL which maps to another crypto map there was this permit ip 172.21.0.0 0.0.0.255 192.168.0.0 0.255.255.255 And on my new ACL for my new crypto map i had 192.168.128.0/24, therefore there was an overlap. Which evidently meant that the packet was coming in hitting the wrong ACL and therefore hitting the wrong crypto map. Which would explain why I was getting peer address not found. I've done a ping across the tunnel from Meraki now and can see traffic both ways now. Thanks for your help
... View more
Apr 27 2019
6:00 PM
It will be going static but yes its been the same. Is there anything else i can check? I'm not sure why but it doesn't really seem to matter what changes i make i get the same message when i try and ping from meraki across to the remote side. I've also noticed when I ping from the Meraki side i get this in the Meraki logs? Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel XXXXXXX[500]->XXXXXXX[500] spi=21810707(0x14cce13) Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg:XXXXXX give up to get IPsec-SA due to time up to wait. Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: IPsec-SA expired: ESP/Tunnel XXXXXXXX[500]->XXXXXXX[500] Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: notification NO-PROPOSAL-CHOSEN received in informational exchange. Apr 28 00:51:42 Non-Meraki / Client VPN negotiation msg: initiate new phase 2 negotiation: XXXXXXXX[4500]<=>XXXXXXXXXX[4500]
... View more
Apr 27 2019
5:14 PM
Yes I think the 2911 has a static ip directly on the interface as you can see thats gi 0/0. In terms of the MX its behind a BT router in bridge mode, I think its WAN interface currently is DHCP should this be static?
... View more
Apr 27 2019
5:06 PM
Thanks will do, i was going off of one of the Meraki config guides but appreciate AES is better. Unfortunately there is a bit of a mixture.. I didn't configure them I'm just trying to add another VPN. There are 4 in total including this MX. S2SVPN 1 - 2911 router to this 2911 router (this is actually being replaced eventually by the S2SVPN 4) S2SVPN 2 - I believe is an ASA to this 2911 router S2SVPN 3 - MX Appliance to this 2911 router (working but can't see config just yet) S2SVPN 4 - MX Appliance i'm currently setting up to this 2911 router Each has a pre-shared key matching to the public IP, so crypto isakmp key <key> address <public address>. Each also has their own ACL. Yes only 192.168.128.0/24 is only set to go over to this VPN.
... View more
Apr 27 2019
3:30 PM
Not sure how they aren't but lets see... Crypto map Crypto Map IPv4 "S2SVPN" 4 ipsec-isakmp Peer = XXXXXXX Extended IP access list Meraki access-list Meraki permit ip 172.21.0.0 0.0.255.255 192.168.128.0 0.0.0.255 Current peer: XXXXXXXX Kilobyte Volume Rekey has been disabled. Security association lifetime:28800 seconds Responder-Only (Y/N): N PFS (Y/N): Y DH group: group2 Transform sets={ ESP-3DES-SHA: { esp-3des esp-sha-hmac } , } Interfaces using crypto map S2SVPN: GigabitEthernet0/0 #show crypto isakmp policy Protection suite of priority 10 encryption algorithm: Three key triple DES hash algorithm: Secure Hash Standard authentication method: Pre-Shared Key Diffie-Hellman group: #2 (1024 bit) lifetime: 28800 seconds, no volume limit Then on Meraki Let me know if any more info needed in order to troubleshoot, i have the public address in the router with a preshared key that i have entered on Meraki and that matches. Thanks
... View more
Apr 27 2019
1:26 AM
Hi, Having difficulty in trying to get Meraki to complete phase 2 with a Cisco 2911 router, below is the message i get on the router as soon as I try and ping anything on the other side Apr 26 09:59:09.423: IPSEC(ipsec_process_proposal): peer address XXXX not found Apr 26 09:59:09.423: ISAKMP:(7813): IPSec policy invalidated proposal with error 64 Apr 26 09:59:09.423: ISAKMP:(7813): phase 2 SA policy not acceptable! (local XXXX remote XXXXXX) Apr 26 09:59:09.423: ISAKMP: set new node -10487433 to QM_IDLE Router# Apr 26 09:59:09.423: ISAKMP:(7813):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3 spi 822512632, message ID = 4284479863 Apr 26 09:59:09.423: ISAKMP:(7813): sending packet to XXXX my_port 4500 peer_port 4500 (R) QM_IDLE Apr 26 09:59:09.423: ISAKMP:(7813):Sending an IKE IPv4 Packet. Apr 26 09:59:09.423: ISAKMP:(7813):purging node -10487433 Apr 26 09:59:09.423: ISAKMP:(7813):deleting node -1212514309 error TRUE reason "QM rejected" Apr 26 09:59:09.423: ISAKMP:(7813):Node 3082452987, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH Apr 26 09:59:09.423: ISAKMP:(7813):Old State = IKE_QM_READY New State = IKE_QM_READY As far as I can see on both Meraki and the router phase 1 and phase 2 are identical and the ACL on the router matches the route I have on Meraki. What is strange is we have another Meraki instance (i don't have access too) that connects to the same router with the same configuration I'm told. Phase 1 has completed so it appears the two are connected but I'm unable to send traffic down the tunnel. I have raised a case but thought I'd post on here and see if anyone else had same issues or can point maybe what I'm doing wrong/what i need to check etc..
... View more
My Top Kudoed Posts
| Subject | Kudos | Views |
|---|---|---|
| 2 | 8149 |
