[vpn-help] Shrew Soft and Meraki Client VPN

Alexis La Goutte alexis.lagoutte at gmail.com
Wed Aug 19 02:42:41 CDT 2015 

Hi Mark,

>From Meraki logs, there is a error on Phase 1 Settings...
We need to check if the parameter (DH Group, Encryption, Authentication,
life Time) is similar on Shrew and Meraki.

Regards,

On Wed, Aug 19, 2015 at 5:26 AM, Mark Valpreda <mark at insync-socal.com>
wrote:

> Has anyone gotten Shrew Soft to work with the Meraki MX line of devices?
> Been making the transition from Cisco ASA devices to Meraki MX devices and
> the only thing I have an issue with is that Meraki wants to use the
> built-in L2TP/PPTP client.
>
>
>
> According to
> https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Networking_Fundamentals%3A_IPSec_and_IKE
> it says ‘*Cisco Meraki uses IPSec for Site-to-site and Client VPN.*’ That
> sounds like to me that I should be able to use an IPSEC client to connect
> to the Meraki.  I found some settings from the Meraki to SonicWALL
> site-to-site VPN page
> https://documentation.meraki.com/MX-Z/Site-to-site_VPN/3rd_Party_Site-to-Site_VPN_setup_for_Sonicwall
> and was able to match up everything in Shrew.
>
>
>
> Phase 1
>
> Exchange: Main Mode
>
> DH Group: Group 2
>
> Encryption: 3DES
>
> Authentication: SHA1
>
> Life Time (seconds): 28800
>
>
>
> Phase 2
>
> Protocol: ESP
>
> Encryption: 3DES
>
> Authentication: SHA1
>
> Enable Perfect Forward Secrecy: False, the box should be unchecked
>
> Life Time (seconds): 28800
>
>
>
> I can’t connect though. Says there is a Phase 1 mismatch on the Meraki.
> Here is the dump from VPN trace
>
> 15/08/18 20:15:24 ## : IKE Daemon, ver 2.2.2
>
> 15/08/18 20:15:24 ## : Copyright 2013 Shrew Soft Inc.
>
> 15/08/18 20:15:24 ## : This product linked OpenSSL 1.0.1c 10 May 2012
>
> 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN
> Client\debug\iked.log'
>
> 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN
> Client/debug/dump-ike-decrypt.cap'
>
> 15/08/18 20:15:24 ii : opened 'C:\Program Files\ShrewSoft\VPN
> Client/debug/dump-ike-encrypt.cap'
>
> 15/08/18 20:15:24 ii : rebuilding vnet device list ...
>
> 15/08/18 20:15:24 ii : device ROOT\VNET\0000 disabled
>
> 15/08/18 20:15:24 ii : device ROOT\VNET\0001 disabled
>
> 15/08/18 20:15:24 ii : network process thread begin ...
>
> 15/08/18 20:15:24 ii : pfkey process thread begin ...
>
> 15/08/18 20:15:24 ii : ipc server process thread begin ...
>
> 15/08/18 20:15:29 ii : ipc client process thread begin ...
>
> 15/08/18 20:15:29 <A : peer config add message
>
> 15/08/18 20:15:29 <A : proposal config message
>
> 15/08/18 20:15:29 <A : proposal config message
>
> 15/08/18 20:15:29 <A : client config message
>
> 15/08/18 20:15:29 <A : xauth username message
>
> 15/08/18 20:15:29 <A : xauth password message
>
> 15/08/18 20:15:29 <A : preshared key message
>
> 15/08/18 20:15:29 <A : peer tunnel enable message
>
> 15/08/18 20:15:29 DB : peer ref increment ( ref count = 1, obj count = 0 )
>
> 15/08/18 20:15:29 DB : peer added ( obj count = 1 )
>
> 15/08/18 20:15:29 ii : local address 192.168.77.104 selected for peer
>
> 15/08/18 20:15:29 DB : peer ref increment ( ref count = 2, obj count = 1 )
>
> 15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 1, obj count = 0
> )
>
> 15/08/18 20:15:29 DB : tunnel added ( obj count = 1 )
>
> 15/08/18 20:15:29 DB : tunnel ref increment ( ref count = 2, obj count = 1
> )
>
> 15/08/18 20:15:29 DB : new phase1 ( ISAKMP initiator )
>
> 15/08/18 20:15:29 DB : exchange type is identity protect
>
> 15/08/18 20:15:29 DB : 192.168.77.104:500 <-> X.X.X.X:500
>
> 15/08/18 20:15:29 DB : 7afab2db07f7861a:0000000000000000
>
> 15/08/18 20:15:29 DB : phase1 ref increment ( ref count = 1, obj count = 0
> )
>
> 15/08/18 20:15:29 DB : phase1 added ( obj count = 1 )
>
> 15/08/18 20:15:29 >> : security association payload
>
> 15/08/18 20:15:29 >> : - proposal #1 payload
>
> 15/08/18 20:15:29 >> : -- transform #1 payload
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local supports XAUTH
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local supports nat-t ( draft v00 )
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local supports nat-t ( draft v01 )
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local supports nat-t ( draft v02 )
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local supports nat-t ( draft v03 )
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local supports nat-t ( rfc )
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local supports DPDv1
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local is SHREW SOFT compatible
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local is NETSCREEN compatible
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local is SIDEWINDER compatible
>
> 15/08/18 20:15:29 >> : vendor id payload
>
> 15/08/18 20:15:29 ii : local is CISCO UNITY compatible
>
> 15/08/18 20:15:29 >= : cookies 7afab2db07f7861a:0000000000000000
>
> 15/08/18 20:15:29 >= : message 00000000
>
> 15/08/18 20:15:29 -> : send IKE packet 192.168.77.104:500 -> X.X.X.X:500
> ( 348 bytes )
>
> 15/08/18 20:15:29 DB : phase1 resend event scheduled ( ref count = 2 )
>
> 15/08/18 20:15:29 DB : phase1 ref decrement ( ref count = 1, obj count = 1
> )
>
> 15/08/18 20:15:34 -> : resend 1 phase1 packet(s) [0/2] 192.168.77.104:500
> -> X.X.X.X:500
>
> 15/08/18 20:15:39 -> : resend 1 phase1 packet(s) [1/2] 192.168.77.104:500
> -> X.X.X.X:500
>
> 15/08/18 20:15:44 -> : resend 1 phase1 packet(s) [2/2] 192.168.77.104:500
> -> X.X.X.X:500
>
> 15/08/18 20:15:49 ii : resend limit exceeded for phase1 exchange
>
> 15/08/18 20:15:49 ii : phase1 removal before expire time
>
> 15/08/18 20:15:49 DB : phase1 deleted ( obj count = 0 )
>
> 15/08/18 20:15:49 DB : tunnel ref decrement ( ref count = 1, obj count = 1
> )
>
> 15/08/18 20:15:49 DB : policy not found
>
> 15/08/18 20:15:49 DB : policy not found
>
> 15/08/18 20:15:49 DB : policy not found
>
> 15/08/18 20:15:49 DB : policy not found
>
> 15/08/18 20:15:49 DB : removing tunnel config references
>
> 15/08/18 20:15:49 DB : removing tunnel phase2 references
>
> 15/08/18 20:15:49 DB : removing tunnel phase1 references
>
> 15/08/18 20:15:49 DB : tunnel deleted ( obj count = 0 )
>
> 15/08/18 20:15:49 DB : peer ref decrement ( ref count = 1, obj count = 1 )
>
> 15/08/18 20:15:49 DB : removing all peer tunnel references
>
> 15/08/18 20:15:49 DB : peer deleted ( obj count = 0 )
>
> 15/08/18 20:15:49 ii : ipc client process thread exit ...
>
>
>
> This is what the Meraki says:
>
> Aug 18 20:17:23
>
> Non-Meraki / Client VPN negotiation
>
> msg: failed to pre-process ph1 packet (side: 1, status 1).
>
> Aug 18 20:17:23
>
> Non-Meraki / Client VPN negotiation
>
> msg: failed to get valid proposal.
>
> Aug 18 20:17:23
>
> Non-Meraki / Client VPN negotiation
>
> msg: no suitable proposal found.
>
> Aug 18 20:17:18
>
> Non-Meraki / Client VPN negotiation
>
> msg: phase1 negotiation failed.
>
> Aug 18 20:17:18
>
> Non-Meraki / Client VPN negotiation
>
> msg: failed to pre-process ph1 packet (side: 1, status 1).
>
> Aug 18 20:17:18
>
> Non-Meraki / Client VPN negotiation
>
> msg: failed to get valid proposal.
>
> Aug 18 20:17:18
>
> Non-Meraki / Client VPN negotiation
>
> msg: no suitable proposal found.
>
>
>
> Why not just use the Windows VPN client? I have more and more customers
> using the Meraki devices, I have 4 different machines I use, and I sync my
> ShrewSoft connection profiles between all those machines. Plus Shrew also
> scripts very well with RemoteDesktopManager. All those sync and I just
> click once to open VPN and then RDP to the server I need. It’s very handy.
> Rather not have to remember to set up a new connection on each computer
> every time a new Meraki comes online.
>
>
>
> -mv
>
>
>
> _______________________________________________
> vpn-help mailing list
> vpn-help at lists.shrew.net
> https://lists.shrew.net/mailman/listinfo/vpn-help
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20150819/85cc5fc7/attachment-0001.html>

More information about the vpn-help mailing list