Hi Mark, >From Meraki logs, there is a error on Phase 1 Settings... We need to check if the parameter (DH Group, Encryption, Authentication, life Time) is similar on Shrew and Meraki.
Regards, On Wed, Aug 19, 2015 at 5:26 AM, Mark Valpreda <[email protected]> wrote: > Has anyone gotten Shrew Soft to work with the Meraki MX line of devices? > Been making the transition from Cisco ASA devices to Meraki MX devices and > the only thing I have an issue with is that Meraki wants to use the > built-in L2TP/PPTP client. > > > > According to > https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Networking_Fundamentals%3A_IPSec_and_IKE > it says ‘*Cisco Meraki uses IPSec for Site-to-site and Client VPN.*’ That > sounds like to me that I should be able to use an IPSEC client to connect > to the Meraki. I found some settings from the Meraki to SonicWALL > site-to-site VPN page > https://documentation.meraki.com/MX-Z/Site-to-site_VPN/3rd_Party_Site-to-Site_VPN_setup_for_Sonicwall > and was able to match up everything in Shrew. > > > > Phase 1 > > Exchange: Main Mode > > DH Group: Group 2 > > Encryption: 3DES > > Authentication: SHA1 > > Life Time (seconds): 28800 > > > > Phase 2 > > Protocol: ESP > > Encryption: 3DES > > Authentication: SHA1 > > Enable Perfect Forward Secrecy: False, the box should be unchecked > > Life Time (seconds): 28800 > > > > I can’t connect though. Says there is a Phase 1 mismatch on the Meraki. > Here is the dump from VPN trace > > 15/08/18 20:15:24 ## : IKE Daemon, ver 2.2.2 > > 15/08/18 20:15:24 ## : Copyright 2013 Shrew Soft Inc. > > 15/08/18 20:15:24 ## : This product linked OpenSSL 1.0.1c 10 May 2012 > > 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN > Client\debug\iked.log' > > 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN > Client/debug/dump-ike-decrypt.cap' > > 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN > Client/debug/dump-ike-encrypt.cap' > > 15/08/18 20:15:24 ii : rebuilding vnet device list ... > > 15/08/18 20:15:24 ii : device ROOT\VNET\0000 disabled > > 15/08/18 20:15:24 ii : device ROOT\VNET\0001 disabled > > 15/08/18 20:15:24 ii : network process thread begin ... > > 15/08/18 20:15:24 ii : pfkey process thread begin ... > > 15/08/18 20:15:24 ii : ipc server process thread begin ... > > 15/08/18 20:15:29 ii : ipc client process thread begin ... > > 15/08/18 20:15:29 <A : peer config add message > > 15/08/18 20:15:29 <A : proposal config message > > 15/08/18 20:15:29 <A : proposal config message > > 15/08/18 20:15:29 <A : client config message > > 15/08/18 20:15:29 <A : xauth username message > > 15/08/18 20:15:29 <A : xauth password message > > 15/08/18 20:15:29 <A : preshared key message > > 15/08/18 20:15:29 <A : peer tunnel enable message > > 15/08/18 20:15:29 DB : peer ref increment ( ref count = 1, obj count = 0 ) > > 15/08/18 20:15:29 DB : peer added ( obj count = 1 ) > > 15/08/18 20:15:29 ii : local address 192.168.77.104 selected for peer > > 15/08/18 20:15:29 DB : peer ref increment ( ref count = 2, obj count = 1 ) > > 15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 1, obj count = 0 > ) > > 15/08/18 20:15:29 DB : tunnel added ( obj count = 1 ) > > 15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 2, obj count = 1 > ) > > 15/08/18 20:15:29 DB : new phase1 ( ISAKMP initiator ) > > 15/08/18 20:15:29 DB : exchange type is identity protect > > 15/08/18 20:15:29 DB : 192.168.77.104:500 <-> X.X.X.X:500 > > 15/08/18 20:15:29 DB : 7afab2db07f7861a:0000000000000000 > > 15/08/18 20:15:29 DB : phase1 ref increment ( ref count = 1, obj count = 0 > ) > > 15/08/18 20:15:29 DB : phase1 added ( obj count = 1 ) > > 15/08/18 20:15:29 >> : security association payload > > 15/08/18 20:15:29 >> : - proposal #1 payload > > 15/08/18 20:15:29 >> : -- transform #1 payload > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local supports XAUTH > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local supports nat-t ( draft v00 ) > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local supports nat-t ( draft v01 ) > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local supports nat-t ( draft v02 ) > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local supports nat-t ( draft v03 ) > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local supports nat-t ( rfc ) > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local supports DPDv1 > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local is SHREW SOFT compatible > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local is NETSCREEN compatible > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local is SIDEWINDER compatible > > 15/08/18 20:15:29 >> : vendor id payload > > 15/08/18 20:15:29 ii : local is CISCO UNITY compatible > > 15/08/18 20:15:29 >= : cookies 7afab2db07f7861a:0000000000000000 > > 15/08/18 20:15:29 >= : message 00000000 > > 15/08/18 20:15:29 -> : send IKE packet 192.168.77.104:500 -> X.X.X.X:500 > ( 348 bytes ) > > 15/08/18 20:15:29 DB : phase1 resend event scheduled ( ref count = 2 ) > > 15/08/18 20:15:29 DB : phase1 ref decrement ( ref count = 1, obj count = 1 > ) > > 15/08/18 20:15:34 -> : resend 1 phase1 packet(s) [0/2] 192.168.77.104:500 > -> X.X.X.X:500 > > 15/08/18 20:15:39 -> : resend 1 phase1 packet(s) [1/2] 192.168.77.104:500 > -> X.X.X.X:500 > > 15/08/18 20:15:44 -> : resend 1 phase1 packet(s) [2/2] 192.168.77.104:500 > -> X.X.X.X:500 > > 15/08/18 20:15:49 ii : resend limit exceeded for phase1 exchange > > 15/08/18 20:15:49 ii : phase1 removal before expire time > > 15/08/18 20:15:49 DB : phase1 deleted ( obj count = 0 ) > > 15/08/18 20:15:49 DB : tunnel ref decrement ( ref count = 1, obj count = 1 > ) > > 15/08/18 20:15:49 DB : policy not found > > 15/08/18 20:15:49 DB : policy not found > > 15/08/18 20:15:49 DB : policy not found > > 15/08/18 20:15:49 DB : policy not found > > 15/08/18 20:15:49 DB : removing tunnel config references > > 15/08/18 20:15:49 DB : removing tunnel phase2 references > > 15/08/18 20:15:49 DB : removing tunnel phase1 references > > 15/08/18 20:15:49 DB : tunnel deleted ( obj count = 0 ) > > 15/08/18 20:15:49 DB : peer ref decrement ( ref count = 1, obj count = 1 ) > > 15/08/18 20:15:49 DB : removing all peer tunnel references > > 15/08/18 20:15:49 DB : peer deleted ( obj count = 0 ) > > 15/08/18 20:15:49 ii : ipc client process thread exit ... > > > > This is what the Meraki says: > > Aug 18 20:17:23 > > Non-Meraki / Client VPN negotiation > > msg: failed to pre-process ph1 packet (side: 1, status 1). > > Aug 18 20:17:23 > > Non-Meraki / Client VPN negotiation > > msg: failed to get valid proposal. > > Aug 18 20:17:23 > > Non-Meraki / Client VPN negotiation > > msg: no suitable proposal found. > > Aug 18 20:17:18 > > Non-Meraki / Client VPN negotiation > > msg: phase1 negotiation failed. > > Aug 18 20:17:18 > > Non-Meraki / Client VPN negotiation > > msg: failed to pre-process ph1 packet (side: 1, status 1). > > Aug 18 20:17:18 > > Non-Meraki / Client VPN negotiation > > msg: failed to get valid proposal. > > Aug 18 20:17:18 > > Non-Meraki / Client VPN negotiation > > msg: no suitable proposal found. > > > > Why not just use the Windows VPN client? I have more and more customers > using the Meraki devices, I have 4 different machines I use, and I sync my > ShrewSoft connection profiles between all those machines. Plus Shrew also > scripts very well with RemoteDesktopManager. All those sync and I just > click once to open VPN and then RDP to the server I need. It’s very handy. > Rather not have to remember to set up a new connection on each computer > every time a new Meraki comes online. > > > > -mv > > > > _______________________________________________ > vpn-help mailing list > [email protected] > https://lists.shrew.net/mailman/listinfo/vpn-help > >
_______________________________________________ vpn-help mailing list [email protected] https://lists.shrew.net/mailman/listinfo/vpn-help
