Problem
Get a Meraki MX appliance in a site to site vpn connection to a non Meraki device
Following is the logged errors between the two firewalls
May YY xx:43:53 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY xx:43:53 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY xx:43:41 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY xx:43:41 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase2 negotiation failed due to time up waiting for phase1. ESP 216.xx.xy.zz[0]->206.aa.bb.cc[0]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 206.aa.bb.cc[500]<=>216.xx.xy.zz[500]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase2 negotiation failed due to time up waiting for phase1. ESP 216.xx.xy.zz[0]->206.aa.bb.cc[0]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 7557120ff4360b40:0000000000000000
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase2 negotiation failed due to time up waiting for phase1. ESP 216.xx.xy.zz[0]->206.aa.bb.cc[0]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 206.aa.bb.cc[500]<=>216.xx.xy.zz[500]
Solution
As per log above it can be noted that a Ph1 handshake was not fully completed. To complete we performed the following
On the GBOS we created a new IPSEC object (policy) with
Phase 1 IKEv1
Exchange: Main Mode
Encryption: 3Des,Sha1,DH2
Phase2
Encryption: 3Des,Sha1,DH2
On the Meraki side select Site to Site VPN option
In the Non-Meraki VPN peers section click on the “default” hyperlink under the IPsec Policies
Set the preset to custom and modify as follows:
Phase 1
Encryption: 3Des,Sha1,DH2
Lifetime8hrs/28800 s
Phase2
Encryption: 3Des,Sha1,DH2
PFS: 2 (if your peer firewall can have this disabled then leave default disabled)
Lifetime8hrs/28800 s
By default these are the settings that a MX appliance communicates to a non MX firewall.
With these settings in place the tunnels came up and both sides were reachable
Tested Platform
Meraki MX65W
GTA GB250
Hits: 1071