Question

I'm trying to establish an IPSEC VPN between a Cisco Meraki MX 64 (FW: MX 14.53) and a RUT950 (FW: RUT9XX_R_00.06.07.5) and it cannot even establish phase 1.

This is the Cisco Meraki VPN Settings and Requirements: (https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Peers)

Cisco Meraki devices have the following requirements for their VPN connections to non-Meraki peers:

Preshared keys (no certificates).

LAN static routes (no routing protocol for the VPN interface).

IKEv1 in Main Mode or IKEv2

Access through UDP ports 500 and 4500.

The following IKE and IPsec parameters are the default settings used by the MX:

Phase 1 (IKE Policy): 3DES, SHA1, DH group 2, lifetime 8 hours (28800 seconds).

Phase 2 (IPsec Rule): Any of 3DES or AES; either MD5 or SHA1; PFS disabled; lifetime 8 hours (28800 seconds).

I fail to see why the RUT950 wouldn't be compatible with this?

This is the configuration of the RUT950 (IP addresses edited):

The log in the Meraki says this:

Time (CET) Event type Details

Feb 4 11:03:43 Non-Meraki / Client VPN negotiation msg: ignore information because ISAKMP-SA has not been established yet.

Feb 4 11:03:33 Non-Meraki / Client VPN negotiation msg: ignore information because ISAKMP-SA has not been established yet.

Feb 4 11:03:22 Non-Meraki / Client VPN negotiation msg: ignore information because ISAKMP-SA has not been established yet.

Feb 4 11:03:21 Non-Meraki / Client VPN negotiation msg: initiate new phase 1 negotiation: 1.1.1.1[500]<=>2.2.2.2[500]

Feb 4 11:03:10 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed due to time up. e520bfac10bdd6f5:7e6dc7636d2daea4

I don't see any logs in the RUT950 though.

Any ideas on why this fails because I'm out of options on both platforms?

Answer 1

Hello,

Could you share a proper topology with IP addresses. Also check if you have a public IP address . You can check here .

Have you tried reading the following if it helps . 

https://wiki.teltonika-networks.com/view/IPsec_configuration_examples

Please provide a troubleshoot file for the device .

Troubleshoot file could be downloaded System>Administration>Troubleshoot. 

Please make sure device is on for 15 minutes before you download the troubleshoot file.

Thank you.

Have a great day.

Comments

Thank you for your quick reply to my question.

Yes, I've read multiple articles of yours on IPSEC, and I've set up many IPSEC tunnels on different firewall models through the years. But for this, I'm out of options as I cannot adjust much more on either platform.

The topology is equal to this except the IP addresses, and that RUT 1 is a Meraki MX firewall:

Please see the log file you requested on this link.

---

From the log you have posted above, it appears that the RUT950 cannot decrypt incoming packets, the preshared keys don't match.

Thu Feb  4 14:44:58 2021 daemon.info syslog: 12[ENC] invalid ID_V1 payload length, decryption failed?
Thu Feb  4 14:44:58 2021 daemon.info syslog: 12[ENC] could not decrypt payloads
Thu Feb  4 14:44:58 2021 daemon.info syslog: 12[IKE] message parsing failed

Regards,

---

Hello,

I will be consulting with HQ.

Have  a good day.

Regards,

Ahmed

---

Thank you. It was actually the preshared key that was wrong; the one entered was from a session when I tried L2TP VPN.

After adjusting the key and also entering the Secret's ID selector the tunnel is now up!

So hopefully this forum thread will help someone else with a Meraki Teltonika setup.