[vpn-help] Shrew Soft and Meraki Client VPN
Mark Valpreda
mark at insync-socal.com
Tue Aug 18 22:26:43 CDT 2015
Has anyone gotten Shrew Soft to work with the Meraki MX line of devices?
Been making the transition from Cisco ASA devices to Meraki MX devices and
the only thing I have an issue with is that Meraki wants to use the built-in
L2TP/PPTP client.
According to
https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troublesh
ooting/Networking_Fundamentals%3A_IPSec_and_IKE it says 'Cisco Meraki uses
IPSec for Site-to-site and Client VPN.' That sounds like to me that I should
be able to use an IPSEC client to connect to the Meraki. I found some
settings from the Meraki to SonicWALL site-to-site VPN page
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/3rd_Party_Site-to-Sit
e_VPN_setup_for_Sonicwall and was able to match up everything in Shrew.
Phase 1
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time (seconds): 28800
Phase 2
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
Enable Perfect Forward Secrecy: False, the box should be unchecked
Life Time (seconds): 28800
I can't connect though. Says there is a Phase 1 mismatch on the Meraki. Here
is the dump from VPN trace
15/08/18 20:15:24 ## : IKE Daemon, ver 2.2.2
15/08/18 20:15:24 ## : Copyright 2013 Shrew Soft Inc.
15/08/18 20:15:24 ## : This product linked OpenSSL 1.0.1c 10 May 2012
15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client\debug\iked.log'
15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-decrypt.cap'
15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN
Client/debug/dump-ike-encrypt.cap'
15/08/18 20:15:24 ii : rebuilding vnet device list ...
15/08/18 20:15:24 ii : device ROOT\VNET\0000 disabled
15/08/18 20:15:24 ii : device ROOT\VNET\0001 disabled
15/08/18 20:15:24 ii : network process thread begin ...
15/08/18 20:15:24 ii : pfkey process thread begin ...
15/08/18 20:15:24 ii : ipc server process thread begin ...
15/08/18 20:15:29 ii : ipc client process thread begin ...
15/08/18 20:15:29 <A : peer config add message
15/08/18 20:15:29 <A : proposal config message
15/08/18 20:15:29 <A : proposal config message
15/08/18 20:15:29 <A : client config message
15/08/18 20:15:29 <A : xauth username message
15/08/18 20:15:29 <A : xauth password message
15/08/18 20:15:29 <A : preshared key message
15/08/18 20:15:29 <A : peer tunnel enable message
15/08/18 20:15:29 DB : peer ref increment ( ref count = 1, obj count = 0 )
15/08/18 20:15:29 DB : peer added ( obj count = 1 )
15/08/18 20:15:29 ii : local address 192.168.77.104 selected for peer
15/08/18 20:15:29 DB : peer ref increment ( ref count = 2, obj count = 1 )
15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 1, obj count = 0 )
15/08/18 20:15:29 DB : tunnel added ( obj count = 1 )
15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 2, obj count = 1 )
15/08/18 20:15:29 DB : new phase1 ( ISAKMP initiator )
15/08/18 20:15:29 DB : exchange type is identity protect
15/08/18 20:15:29 DB : 192.168.77.104:500 <-> X.X.X.X:500
15/08/18 20:15:29 DB : 7afab2db07f7861a:0000000000000000
15/08/18 20:15:29 DB : phase1 ref increment ( ref count = 1, obj count = 0 )
15/08/18 20:15:29 DB : phase1 added ( obj count = 1 )
15/08/18 20:15:29 >> : security association payload
15/08/18 20:15:29 >> : - proposal #1 payload
15/08/18 20:15:29 >> : -- transform #1 payload
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local supports XAUTH
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local supports nat-t ( draft v00 )
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local supports nat-t ( draft v01 )
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local supports nat-t ( draft v02 )
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local supports nat-t ( draft v03 )
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local supports nat-t ( rfc )
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local supports DPDv1
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local is SHREW SOFT compatible
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local is NETSCREEN compatible
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local is SIDEWINDER compatible
15/08/18 20:15:29 >> : vendor id payload
15/08/18 20:15:29 ii : local is CISCO UNITY compatible
15/08/18 20:15:29 >= : cookies 7afab2db07f7861a:0000000000000000
15/08/18 20:15:29 >= : message 00000000
15/08/18 20:15:29 -> : send IKE packet 192.168.77.104:500 -> X.X.X.X:500 (
348 bytes )
15/08/18 20:15:29 DB : phase1 resend event scheduled ( ref count = 2 )
15/08/18 20:15:29 DB : phase1 ref decrement ( ref count = 1, obj count = 1 )
15/08/18 20:15:34 -> : resend 1 phase1 packet(s) [0/2] 192.168.77.104:500 ->
X.X.X.X:500
15/08/18 20:15:39 -> : resend 1 phase1 packet(s) [1/2] 192.168.77.104:500 ->
X.X.X.X:500
15/08/18 20:15:44 -> : resend 1 phase1 packet(s) [2/2] 192.168.77.104:500 ->
X.X.X.X:500
15/08/18 20:15:49 ii : resend limit exceeded for phase1 exchange
15/08/18 20:15:49 ii : phase1 removal before expire time
15/08/18 20:15:49 DB : phase1 deleted ( obj count = 0 )
15/08/18 20:15:49 DB : tunnel ref decrement ( ref count = 1, obj count = 1 )
15/08/18 20:15:49 DB : policy not found
15/08/18 20:15:49 DB : policy not found
15/08/18 20:15:49 DB : policy not found
15/08/18 20:15:49 DB : policy not found
15/08/18 20:15:49 DB : removing tunnel config references
15/08/18 20:15:49 DB : removing tunnel phase2 references
15/08/18 20:15:49 DB : removing tunnel phase1 references
15/08/18 20:15:49 DB : tunnel deleted ( obj count = 0 )
15/08/18 20:15:49 DB : peer ref decrement ( ref count = 1, obj count = 1 )
15/08/18 20:15:49 DB : removing all peer tunnel references
15/08/18 20:15:49 DB : peer deleted ( obj count = 0 )
15/08/18 20:15:49 ii : ipc client process thread exit ...
This is what the Meraki says:
Aug 18 20:17:23
Non-Meraki / Client VPN negotiation
msg: failed to pre-process ph1 packet (side: 1, status 1).
Aug 18 20:17:23
Non-Meraki / Client VPN negotiation
msg: failed to get valid proposal.
Aug 18 20:17:23
Non-Meraki / Client VPN negotiation
msg: no suitable proposal found.
Aug 18 20:17:18
Non-Meraki / Client VPN negotiation
msg: phase1 negotiation failed.
Aug 18 20:17:18
Non-Meraki / Client VPN negotiation
msg: failed to pre-process ph1 packet (side: 1, status 1).
Aug 18 20:17:18
Non-Meraki / Client VPN negotiation
msg: failed to get valid proposal.
Aug 18 20:17:18
Non-Meraki / Client VPN negotiation
msg: no suitable proposal found.
Why not just use the Windows VPN client? I have more and more customers
using the Meraki devices, I have 4 different machines I use, and I sync my
ShrewSoft connection profiles between all those machines. Plus Shrew also
scripts very well with RemoteDesktopManager. All those sync and I just click
once to open VPN and then RDP to the server I need. It's very handy. Rather
not have to remember to set up a new connection on each computer every time
a new Meraki comes online.
-mv
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20150819/66f94a5e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4809 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20150819/66f94a5e/attachment-0001.bin>
More information about the vpn-help
mailing list