Meraki MX65 site-2-site vpn with non Meraki Peer

Problem

Get a Meraki MX appliance in a site to site vpn connection to a non Meraki device

Following is the logged errors between the two firewalls

May YY xx:43:53 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY xx:43:53 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY xx:43:41 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY xx:43:41 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).

May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase2 negotiation failed due to time up waiting for phase1. ESP 216.xx.xy.zz[0]->206.aa.bb.cc[0]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 206.aa.bb.cc[500]<=>216.xx.xy.zz[500]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase2 negotiation failed due to time up waiting for phase1. ESP 216.xx.xy.zz[0]->206.aa.bb.cc[0]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. 7557120ff4360b40:0000000000000000
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase2 negotiation failed due to time up waiting for phase1. ESP 216.xx.xy.zz[0]->206.aa.bb.cc[0]
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1).
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: no suitable proposal found.
May YY XX:43:54 Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 206.aa.bb.cc[500]<=>216.xx.xy.zz[500]

 

Solution

As per log above it can be noted that a Ph1 handshake was not fully completed. To complete we performed the following

On the GBOS we created a new IPSEC object (policy) with

myit-1

myit-2

Phase 1 IKEv1
Exchange: Main Mode
Encryption: 3Des,Sha1,DH2

Phase2
Encryption: 3Des,Sha1,DH2

On the Meraki side select Site to Site VPN option

myit-4

In the Non-Meraki VPN peers section click on the “default” hyperlink under the IPsec Policies

Set the preset to custom and modify as follows:

myit-5

Phase 1
Encryption: 3Des,Sha1,DH2
Lifetime8hrs/28800 s

Phase2
Encryption: 3Des,Sha1,DH2
PFS: 2 (if your peer firewall can have this disabled then leave default disabled)
Lifetime8hrs/28800 s

By default these are the settings that a MX appliance communicates to a non MX firewall.

With these settings in place the tunnels came up and both sides were reachable

 

Tested Platform

Meraki MX65W
GTA GB250

Hits: 1071

Leave a Reply