Meraki

Community

About MattSc

Re: Organization to Organization VPN

by in Security & SD-WAN
‎Aug 31 2020 5:41 AM
‎Aug 31 2020 5:41 AM
So after writing all that out and actually reading it out I realized the only difference between the three networks was that one network was set to "NAT Traversal - Manual: Port Forward" and the other two were "NAT Traversal - Automatic" I had to use "NAT Traversal - Manual: Port Forward" on one of the sites (no choice) but as soon as I set all three networks to the same even though it has never been needed on the other two networks, all three networks came up together. My question now... is there some sort of organizational setting on the NAT Traversal that requires ALL networks within an organization to be one or the other to work correctly with Non-Meraki VPN Peers? ... View more

Organization to Organization VPN

by in Security & SD-WAN
‎Aug 31 2020 4:15 AM
‎Aug 31 2020 4:15 AM
I'm at a complete loss as to what would cause this issue i'm experiencing (i'll try explain this as best I can as its hard to explain).. I have two Organizations Organization 1 has Network 1   Organization 2 has Networks 1, 2, and 3 I can establish a VPN Tunnel from Organization 1 Network 1 to Organization 2 Network 1 and 2 I can establish a VPN Tunnel from Organization 1 Network 1 to Organization 2 Network 3 I cannot establish a VPN Tunnel from Organization 1 Network 1 to Organization 2 Network 1, 2 and 3 Working from Organization 1 If I have a working tunnel with to Organization 2 Network 1 and 2 then try to add Organization 2 Network 3, the logs for show msg: phase2 negotiation failed due to time up waiting for phase1. ESP 144.130.xxx.xxx[0]->10.1.1.2[0] msg: phase1 negotiation failed due to time up. 8d8627ebd6d071a1:e3cc535a1caf1006 msg: request for establishing IPsec-SA was queued due to no phase1 found. msg: initiate new phase 1 negotiation: 10.1.1.2[500]<=>144.130.xxx.xxx[500] If I have a working tunnel with to Organization 2 Network 3 then try to add Organization 2 Network 1 and / or 2 the logs show  msg: phase1 negotiation failed due to time up. c4437031800f8ab7:0000000000000000 msg: phase1 negotiation failed due to time up. b679565d253b7ff5:0000000000000000 msg: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. msg: request for establishing IPsec-SA was queued due to no phase1 found. msg: request for establishing IPsec-SA was queued due to no phase1 found. msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->58.171.xxx.xxx[500] msg: phase2 negotiation failed due to time up waiting for phase1. ESP 149.135.xx.xxx[0]->144.130.xxx.xxx[0] msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->149.135.xx.xxx[500] msg: initiate new phase 1 negotiation: 144.130.xxx.xxx[500]<=>58.171.xxx.xxx[500] msg: IPsec-SA request for 58.171.xxx.xxx queued due to no phase1 found. msg: notification NO-PROPOSAL-CHOSEN received in unencrypted informational exchange. msg: initiate new phase 1 negotiation: 144.130.xxx.xxx[500]<=>149.135.xx.xxx[500] msg: IPsec-SA request for 149.135.xx.xxx queued due to no phase1 found. msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->58.171.xxx.xxx[500] msg: phase2 negotiation failed due to time up waiting for phase1. ESP 149.135.xx.xxx[0]->144.130.xxx.xxx[0] msg: IPsec-SA expired: ESP/Tunnel 144.130.xxx.xxx[500]->149.135.xx.xxx[500] To the best of my knowledge the error logs suggest that either there is a mismatch with the IPSec Policies or that the sites flat out can't talk to each other, if either of those where the case I should not be able to establish a connection at all. Does anyone have any thoughts on what could cause this, i'm completely out of ideas at this point and have been battling with this for the last two days now. ... View more

Re: Auto VPN Whitepaper

by in Security & SD-WAN
‎Jan 30 2020 3:25 PM
‎Jan 30 2020 3:25 PM
Hi Phillip,   Thanks for the link to that version of the whitepaper, it seems as though i had obtained a rather old copy of the paper which is what sparked the question, appreciate the updated copy.           ... View more

Auto VPN Whitepaper

by in Security & SD-WAN
‎Jan 29 2020 8:44 PM
‎Jan 29 2020 8:44 PM
Hi,   I'm trying to find some clarification around a particular entry in the white paper around Auto VPN   1. MXs advertise their WAN IP addresses and any active NAT traversal UDP ports to the Cisco Meraki cloud. Device-to-cloud communication is encrypted twice: once via Meraki-proprietary encryption and again using SSL.   It mentions SSL is in use, is this correct? and if so which version would it happen to be using? we have been asked to clarify this in a project we are currently working on. ... View more
© 2025 Cisco Systems, Inc.