cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
0
Helpful
11
Replies
Tazio4436
Beginner

Cisco 800 series VPN with Meraki on the other end

I have been trying to make the Cisco 800 VPN work since couple of days but could not.
I have configured it several different ways but it still did not work.
On the Meraki side I am trying to make a Site-to-Site VPN for Non Meraki VPN peers.
On Cisco 800 side , the FE4 is connected to the user’s modem and the interface Fe4 comes up with an ip address in same subnet as the modem.
I have tried several ways but could not make it work.
I don’t know what t do now.
Is there a template that I can follow to configure the Cisco 800 for a user to work from home?
Please see a brief topology attached
Any help will be much appreciated. Thanks in advance.
Thanks
Tazio

Thanks
Tazio

11 REPLIES 11
marce1000
VIP Advisor

 

                                 >I have tried several ways but could not make it work

 Please elaborate on that , and or check logs on both devices when trying (what's in the logs ? what errors are seen, ... etc)

                                                               You may also find this article helpful :

         https://community.meraki.com/t5/Security-SD-WAN/Does-Meraki-MX84-support-Site-to-site-VPN-Tunnel-with-non-meraki/td-p/62855

 

                      For the 800 , check this documentation :

https://www.cisco.com/c/en/us/td/docs/routers/access/800/software/configuration/guide/SCG800Guide/SCG800_Guide_BookMap_chapter_01111.html

 

 M.

 

Hi,

Thank you very much for your quick reply.

I have already gone through both documentation before sending the first email. I was confused a little bit in the Cisco 800 documentation as on the remote end I have to configure easyVPN. But in my situation I have a Meraki so how do I configure the easyVPN?

Also I can get logs or debug on the Cisco 800 but mot on Meraki.

I will capture the logs and debug and send it later.

 

Thanks

Tazio

 

Tazio

 

We do not have much information to work with to understand what is the issue. Logs from the devices might be helpful. On the 800 debug output for isakmp negotiation might be helpful, and if that negotiation is successful then debug output for ipsec negotiation might be helpful. Also a copy of the running config of the 800 would be a good place to start.

HTH

Rick

Hi ,

Please see attached show run,Sh log and debug output.

I am not sure but seems to be tat my configuration itself is wrong

 

Thanks

Tazio

Tazio

 

Yes the debug does indicate that there are problems with your configuration. There is an error message that there is not a key configured for the peer. I do see key configured for one peer but not for Meraki. There are some inconsistencies in the configuration. The tunnel is configured for doing dmvpn and references a dmvpn profile but I do not see any profile like that in the config. 

 

There are multiple approaches to vpn that are supported on the Cisco router. It might use simple IPSec vpn, or GRE tunnel with IPSec, or VTI tunnel with IPSec, or dmvpn. I am not clear what Meraki supports that matches one of the implementations of the Cisco router. I did find this documentation from Meraki about vpn to Cisco router which uses simple IPSec vpn. I suggest that you use it as a guide

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Cisco_2811_router_for_Site-to-site_VPN_with_MX_Series_Appliance_using_the_Command_Line_Interface

If you would like to do something different I suggest that we start by getting information about what Meraki is expecting for the vpn.

HTH

Rick

Hi Rick,

Thank you very much.

I followed the link it it did not work.

What I am trying to achieve is that, we have several Cisco 800 series router and we want to give it to our remote users so that they can plug the Cisco phone and their laptop and they should be connected to the corporate network and phone should be up and working.

We are already using Meraki Z3 devices and it is working fine because the VPN is Meraki to Meraki. Now we want to use Cisco 800 to Meraki.

Meraki has certain specific type of VPN and specific settings which I have tried to capture in the document attached.

The only difference in configuration that I did o Cisco 800 is that I did not put any ip address on int f4 which faces modem from the isp.I have just added ip address dhcp

Thanks again for your support

 

Tazio

 

 

Tazio

 

I am sorry that the link did not work for you. When I click the link I get a web page. You do not get a web page when you click the link? But we can go ahead with discussion without that link. Thank you for the clarification about what you want to achieve. I do not have much experience with Meraki so will not have much offer about that part. But I do have good experience with vpn on Cisco routers. In my experience if you want a PC and a phone to connect to a remote network it sounds a bit more like remote access vpn than site to site vpn. But if you have determined that what you want is a site to site vpn then I will help you to set that up.

 

You have some of the parameters that we need for the vpn configuration and will need to find some more to be able to set up the configuration. In particular we will need the subnets/networks that will be connected to the Cisco, we will need the subnets/networks that they will need to communicate with on Meraki, we will need the IP address of the Cisco outside interface, we will need the  IP address of the outside interface on Meraki, we will need a shared key.

 

I found this link which has a pretty good description of setting up a simple site to site vpn. I think we can use it as an example as you configure your vpn. Take a look at it and see if you have questions

https://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html?dtid=osscdc000283

 

HTH

Rick

Hello Rick,

Thank you very much for your effort to help me.

I was able to read the document you sent me both times and I did follow the steps but VPN did not come up.

May be I am using the incorrect term about VPN but correct me . Maybe I need a different VPN type which you have mentioned couple of them.

Basically I will need to ship the Cisco 800 to remote users with Cisco Ip phone. Once the user will receive it ,he will need to plug the cisco 800 port fe4 to his modem.

Two other ports F0 and F1are poE so he can plug his phone on any of them.

He can plug his laptop or computer on port F2 or F3 and he will be connected to corporate network. No manual VPN will be needed.

I have tried to do a basic topology and I have also attached the sh run as per latest Cisco document you've sent to me.

Thanks again .

 

Regards

Tazio

 

Help from anyone please.

 

Thanks

Tazio

Tazio

 

One of the first things to settle is whether this vpn will be site to site or Remote Access. Based on your description, and especially the comment about no manual vpn, I am assuming that you would be using site to site vpn. I know this would work for the computer. We do not know how the ip phone will be set up and whether having an IP address in a different subnet from corporate will be an issue or not. 

 

Looking at the config that you posted I have these comments:

- you specify service config. Is there a reason for that? If there is not a specific reason for that I suggest that you remove it.

- the output that you posted from Meraki shows it using 3des and SHA1 but the router is using des and md5.

- your router interfaces are in vlan 1. But vlan 1 has no IP address. If you want your devices to have IP addresses in 192.168.5.0 then you need the vlan 1 interface to have an IP address in that network.

- it is not clear whether you plan for the devices on the router interfaces to be manually configured with an IP address or to learn their IP address dynamically. I am guessing that you would want the addresses learned dynamically. In that case you need to configure  DHCP scope on the router with appropriate parameters.

- there is not any configuration for routing logic. I am assuming that you will be using static routes rather than some dynamic routing protocol. Is that correct?

- you need a default route which probably should specify the remote peer address as the next hop.

- you need a route for the remote peer address which should specify the ISP modem as the next hop.

HTH

Rick

Hello Rick,

I tried what I could decipher from your message but was stuck several places that is why it took me so long to reply.

(1)whether this vpn will be site to site or Remote Access

In fact this VPN is remote access but now since I am already fighting to make it work since some time I don't mind if it works as site to site and then later I will try to figure out Remote access.

(2)service config

I removed it

(3)the output that you posted from Meraki shows it using 3des and SHA1 but the router is using des and md5.

I changed it as follows...Is this that you meant to change?

!

crypto ipsec transform-set myset esp-des esp-sha-hmac

!

(4)your router interfaces are in vlan 1. But vlan 1 has no IP address. If you want your devices to have IP addresses in 192.168.5.0 then you need the vlan 1 interface to have an IP address in that network

I put ip dhcp on int f4 and it got ip address of  192.168.0.23

now interface vlan 1 cannot be in same range as I am getting error message as follows

Router(config)#int vlan 1
Router(config-if)#ip add
Router(config-if)#ip address 192.168.0.100 255.255.255.0
% 192.168.0.0 overlaps with FastEthernet4

I created DHCP scope as follows

ip dhcp excluded-address 172.16.240.1 172.16.240.10
!
ip dhcp pool INTERAL
 network 172.16.240.0 255.255.255.0
 default-router 172.16.240.1
 dns-server 8.8.8.8 4.2.2.1

 

and then configured int vlan 1 as follows

 

interface Vlan1
 ip address 172.16.240.2 255.255.248.0

 

(5)it is not clear whether you plan for the devices on the router interfaces to be manually configured with an IP address or to learn their IP address dynamically. I am guessing that you would want the addresses learned dynamically. In that case you need to configure  DHCP scope on the router with appropriate parameters.

 

!

Created DHCP scope as above

(6)there is not any configuration for routing logic. I am assuming that you will be using static routes rather than some dynamic routing protocol. Is that correct?

!

yes I would prefer dynamic route

(7)

you need a default route which probably should specify the remote peer address as the next hop.

ip route 0.0.0.0 0.0.0.09 (Meraki public ip address)

(8)you need a route for the remote peer address which should specify the ISP modem as the next hop.

 

I am not sure how to configure this one.

 

Thanks for your support and help.

 

Regards

Tazio

 

Content for Community-Ad