Has anyone gotten Shrew Soft to work with the Meraki MX line of devices? Been making the transition from Cisco ASA devices to Meraki MX devices and the only thing I have an issue with is that Meraki wants to use the built-in L2TP/PPTP client.
According to https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troublesh ooting/Networking_Fundamentals%3A_IPSec_and_IKE it says 'Cisco Meraki uses IPSec for Site-to-site and Client VPN.' That sounds like to me that I should be able to use an IPSEC client to connect to the Meraki. I found some settings from the Meraki to SonicWALL site-to-site VPN page https://documentation.meraki.com/MX-Z/Site-to-site_VPN/3rd_Party_Site-to-Sit e_VPN_setup_for_Sonicwall and was able to match up everything in Shrew. Phase 1 Exchange: Main Mode DH Group: Group 2 Encryption: 3DES Authentication: SHA1 Life Time (seconds): 28800 Phase 2 Protocol: ESP Encryption: 3DES Authentication: SHA1 Enable Perfect Forward Secrecy: False, the box should be unchecked Life Time (seconds): 28800 I can't connect though. Says there is a Phase 1 mismatch on the Meraki. Here is the dump from VPN trace 15/08/18 20:15:24 ## : IKE Daemon, ver 2.2.2 15/08/18 20:15:24 ## : Copyright 2013 Shrew Soft Inc. 15/08/18 20:15:24 ## : This product linked OpenSSL 1.0.1c 10 May 2012 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN Client\debug\iked.log' 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-decrypt.cap' 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN Client/debug/dump-ike-encrypt.cap' 15/08/18 20:15:24 ii : rebuilding vnet device list ... 15/08/18 20:15:24 ii : device ROOT\VNET\0000 disabled 15/08/18 20:15:24 ii : device ROOT\VNET\0001 disabled 15/08/18 20:15:24 ii : network process thread begin ... 15/08/18 20:15:24 ii : pfkey process thread begin ... 15/08/18 20:15:24 ii : ipc server process thread begin ... 15/08/18 20:15:29 ii : ipc client process thread begin ... 15/08/18 20:15:29 <A : peer config add message 15/08/18 20:15:29 <A : proposal config message 15/08/18 20:15:29 <A : proposal config message 15/08/18 20:15:29 <A : client config message 15/08/18 20:15:29 <A : xauth username message 15/08/18 20:15:29 <A : xauth password message 15/08/18 20:15:29 <A : preshared key message 15/08/18 20:15:29 <A : peer tunnel enable message 15/08/18 20:15:29 DB : peer ref increment ( ref count = 1, obj count = 0 ) 15/08/18 20:15:29 DB : peer added ( obj count = 1 ) 15/08/18 20:15:29 ii : local address 192.168.77.104 selected for peer 15/08/18 20:15:29 DB : peer ref increment ( ref count = 2, obj count = 1 ) 15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 1, obj count = 0 ) 15/08/18 20:15:29 DB : tunnel added ( obj count = 1 ) 15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 2, obj count = 1 ) 15/08/18 20:15:29 DB : new phase1 ( ISAKMP initiator ) 15/08/18 20:15:29 DB : exchange type is identity protect 15/08/18 20:15:29 DB : 192.168.77.104:500 <-> X.X.X.X:500 15/08/18 20:15:29 DB : 7afab2db07f7861a:0000000000000000 15/08/18 20:15:29 DB : phase1 ref increment ( ref count = 1, obj count = 0 ) 15/08/18 20:15:29 DB : phase1 added ( obj count = 1 ) 15/08/18 20:15:29 >> : security association payload 15/08/18 20:15:29 >> : - proposal #1 payload 15/08/18 20:15:29 >> : -- transform #1 payload 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local supports XAUTH 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local supports nat-t ( draft v00 ) 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local supports nat-t ( draft v01 ) 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local supports nat-t ( draft v02 ) 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local supports nat-t ( draft v03 ) 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local supports nat-t ( rfc ) 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local supports DPDv1 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local is SHREW SOFT compatible 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local is NETSCREEN compatible 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local is SIDEWINDER compatible 15/08/18 20:15:29 >> : vendor id payload 15/08/18 20:15:29 ii : local is CISCO UNITY compatible 15/08/18 20:15:29 >= : cookies 7afab2db07f7861a:0000000000000000 15/08/18 20:15:29 >= : message 00000000 15/08/18 20:15:29 -> : send IKE packet 192.168.77.104:500 -> X.X.X.X:500 ( 348 bytes ) 15/08/18 20:15:29 DB : phase1 resend event scheduled ( ref count = 2 ) 15/08/18 20:15:29 DB : phase1 ref decrement ( ref count = 1, obj count = 1 ) 15/08/18 20:15:34 -> : resend 1 phase1 packet(s) [0/2] 192.168.77.104:500 -> X.X.X.X:500 15/08/18 20:15:39 -> : resend 1 phase1 packet(s) [1/2] 192.168.77.104:500 -> X.X.X.X:500 15/08/18 20:15:44 -> : resend 1 phase1 packet(s) [2/2] 192.168.77.104:500 -> X.X.X.X:500 15/08/18 20:15:49 ii : resend limit exceeded for phase1 exchange 15/08/18 20:15:49 ii : phase1 removal before expire time 15/08/18 20:15:49 DB : phase1 deleted ( obj count = 0 ) 15/08/18 20:15:49 DB : tunnel ref decrement ( ref count = 1, obj count = 1 ) 15/08/18 20:15:49 DB : policy not found 15/08/18 20:15:49 DB : policy not found 15/08/18 20:15:49 DB : policy not found 15/08/18 20:15:49 DB : policy not found 15/08/18 20:15:49 DB : removing tunnel config references 15/08/18 20:15:49 DB : removing tunnel phase2 references 15/08/18 20:15:49 DB : removing tunnel phase1 references 15/08/18 20:15:49 DB : tunnel deleted ( obj count = 0 ) 15/08/18 20:15:49 DB : peer ref decrement ( ref count = 1, obj count = 1 ) 15/08/18 20:15:49 DB : removing all peer tunnel references 15/08/18 20:15:49 DB : peer deleted ( obj count = 0 ) 15/08/18 20:15:49 ii : ipc client process thread exit ... This is what the Meraki says: Aug 18 20:17:23 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1). Aug 18 20:17:23 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal. Aug 18 20:17:23 Non-Meraki / Client VPN negotiation msg: no suitable proposal found. Aug 18 20:17:18 Non-Meraki / Client VPN negotiation msg: phase1 negotiation failed. Aug 18 20:17:18 Non-Meraki / Client VPN negotiation msg: failed to pre-process ph1 packet (side: 1, status 1). Aug 18 20:17:18 Non-Meraki / Client VPN negotiation msg: failed to get valid proposal. Aug 18 20:17:18 Non-Meraki / Client VPN negotiation msg: no suitable proposal found. Why not just use the Windows VPN client? I have more and more customers using the Meraki devices, I have 4 different machines I use, and I sync my ShrewSoft connection profiles between all those machines. Plus Shrew also scripts very well with RemoteDesktopManager. All those sync and I just click once to open VPN and then RDP to the server I need. It's very handy. Rather not have to remember to set up a new connection on each computer every time a new Meraki comes online. -mv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
