Cisco Meraki – Creating a VPN between a Cisco Meraki and Juniper Netscreen

Posted by on 18 Feb, 2015 in Cisco Meraki, Firewalls, Juniper, Security | 10 comments

Setup:

  • Cisco Meraki MX100 (connected with a static external IP)
  • Juniper Netscreen SSG5/NS5GT (connected with a static external IP)

 

I am in the process of replacing our Juniper kit with the Cisco Meraki MX100’s. As there are various sites that need replacing, as I replace one sites Juniper firewall with the Meraki, the MX100 needs to connect with our other sites Juniper kit until they are replaced.

The requirements for the Cisco Meraki to connect to a third party VPN Firewall are below and are taken from the Cisco Meraki Docs website (https://docs.meraki.com/display/MX/Connecting+to+a+third-party+VPN+device):

MX series support for third-party VPN interoperability requires the following:

    • Preshared keys (no certificates)
    • LAN static routes (no routing protocol for the VPN interface)
    • Phase 1 (IKE Policy): 3DES, SHA1, DH group 2, lifetime 8 hours
    • Phase 2 (IPsec Rule): Any of 3DES, DES, or AES; either MD5 or SHA1; PFS disabled; lifetime 8 hours

 

Cisco Meraki MX100 Setup

  • Log in to the Meraki dashboard and select the network you have created for the MX100 from the drop down at the top of the webpage.
  • Select Configure > site-to-site VPN.
  • Select the following options
    • Mode: Change to split tunnel or Full depending on your requirements.
    • Topology: Select connect directly to all VPN Peers.
    • NAT Traversal: I left this as automatic but you can change to your requirements.
    • Local Networks: Select the networks you want to have access to the VPN.
    • Organisation-Wide Settings: Select add a peer.
      • Name: A friendly name for the connection to the Juniper
      • Public IP: External IP for the Juniper Firewall.
      • Private Subnets: Enter the internal subnet for the juniper in the format 192.168.1.0/24.
      • IPsec Policies: Select the policies required for the Juniper. I left the default but there are pre-set settings for connecting to Microsoft Azure and Amazon’s AWS as well.
      • Preshared secret: Create a secret for connecting to the Juniper.
      • Availability: Select the networks to have access to the VPN’s
      • Site-to-Site Firewall: You can create firewall rules here to only allow certain traffic through.

 

Cisco_Meraki_Juniper1

Juniper SSG5 Setup:

 

  • Create a Tunnel

 

  • Select Network > Interfaces > List
  • Select Tunnel IF from the top right hand corner drop down
  • Select New (top right corner)
    • Zone (VR): Select Untrust (trust-vr)
    • Unnumbered: Select interface as Untrust (trust-vr)

 

  • Create a Gateway

 

  • Select VPNs > AutoKey Advanced > Gateway
  • Select New (top right corner)
    • Gateway Name: Give the Gateway a friendly name
    • Version: Cisco Meraki only supports IKEv1
    • Remote Gateway: Select Static IP Address and enter the External IP address of the Meraki Firewall
    • Click Advanced
      • Preshared Key: Enter the preshared key you entered in the Meraki above.
      • Security Level: Select Custom and from the first drop down for Phase 1 Proposal select pre-g2-3des-sha. You can select additional selections as long as they meet the requirements for Meraki at the top of the page (Phase 1 (IKE Policy): 3DES, SHA1, DH group 2, lifetime 8 hours)
      • Mode (Initiator): Only Main (ID Protection) will work with Meraki
      • I left the rest as the default
    • Click Return
    • Click OK

 

  • Create a AutoKey IKE

 

  • Select VPNs > AutoKey IKE
  • Select New (top right corner)
    • VPN Name: Enter a name for the VPN
    • Remote Gateway: Select Predefined and select the Gateway created above.
    • Click Advanced
      • Security Level: Select Custom and select nopfs-esp-des-sha. You can select alternative options here but the must meet the Meraki criteria above (Phase 2 (IPsec Rule): Any of 3DES, DES, or AES; either MD5 or SHA1; PFS disabled; lifetime 8 hours)
      • Bind to: Select Tunnel Interface and select the Tunnel created in Step 1 above.
      • Proxy-ID Check: Tick this box
      • VPN Monitor: Tick this box
      • Optimized: Tick this box
      • Rekey: Tick this box
      • Leave the rest as default.
      • Click Return
      • Click OK
    • Select Proxy ID. Enter the Local and remote internal IPs (in the format XXX.XXX.XXX.XXX/24) and select the service you wish to allow (select ANY to allow everything) and click New.

 

  • Create a Route

 

  • From the left Menu Select Network > Routing > Destination
  • Select trust-vr from the top right hand corner then click New
    • IP Address / Netmask: Enter the Network and Subnet for the internal network for the Meraki
    • Gateway: Select the interface as the tunnel number you created in Step 1 and select Permanent
    • Click OK

 

  • Create Policies

 

  • From the Left menu select Policy > Policy Elements > Addresses > Lists
  • Select Trust from the top left hand menu.
  • You should already have entries here if the firewall is in use. If this is a new firewall setup select New from the top right hand corner.
    • Address Name: Give a name for the trusted policy
    • IP: Enter the local network and subnet for the trusted network which is the network behind the Juniper.
    • Zone: Make sure trust is selected
    • Click OK
  • Select Untrust from the top left hand menu. Click New
    • Address Name: Give a name for the untrusted policy
    • IP: Enter the Meraki local network and subnet for the trusted network which is the network behind the Meraki.
    • Zone: Make sure untrust is selected
    • Click OK
  • From the Left menu select Policy > Policies
    • From the Top in the from drop down select Trust and in the To drop down select Untrust
    • Click New
      • Name (Optional): You can enter a name here or leave it blank
      • Source Address: In the Address Book Entry select the local address created above
      • Destination Address: In the Address Book Entry select the local Meraki address created above
      • Service: select the service you wish to allow or select ANY to allow it all through
      • You can select any additional options as well here. I normally enable logging as well.
      • Click OK
      • Click OK

 

You should be able to ping both ways and access both networks from either side. As you can see setting up a Meraki is a lot easier than setting up a Juniper!

The way Cisco Meraki’s work is that you need to purchase the hardware appliance then pay for a licence to use the firewall. The Licences normally come in 1, 2, 3, 5, 10 year licences. There are two types of Licence that are available (below) and they include 24X7 telephone support with the hardware having a lifetime warranty.

 

Enterprise Licence Features:

 

  • Stateful firewall
  • Site to site VPN
  • Client VPN
  • Branch routing
  • Link bonding and failover
  • Application control
  • Web caching
  • WAN optimization

 

 

Advanced Security Licence (includes all the Enterprise Licence Features above)

 

  • Content filtering
  • Google SafeSearch
  • YouTube for Schools
  • Intrusion prevention (IPS)
  • Anti-Virus and Anti-Phishing
  • Geo-based IP rules

 

The advanced licence includes web filtering so the cost is about twice as much as the enterprise licence. If you have multiple sites and want to use the web filtering feature then you need to by a licence for each sites firewall unless you want to redirect the internet traffic of over the VPN to a central site which has a fast internet connection then you can get away with a single advanced licence. If you have teleworker sites using devices such as the Meraki Z1 and want to filter the web traffic then you will have to redirect the internet traffic over the VPN as there is only a single licence type available for the teleworker devices and they do not include web filtering.

 

I have added a couple of links that may be useful in setting up the Meraki.

 

Meraki’s Documents website which I found to be very helpful:

https://docs.meraki.com

Meraki sizing guide so you can see the differences in the types of Firewall’s:

https://meraki.cisco.com/lib/pdf/meraki_whitepaper_mx_sizing_guide.pdf

 

 

10 Comments

  1. Steps worked perfectly for me with one exception. I also had to configure the VPN > AutoKey > Proxy ID for the VPN. Without that step I received an error of:

    Rejected an IKE packet on ethernet0/0 from *.*.*.*:500 to *.*.*.*:500 with cookies 41737bf2bfed930e and 83dabc9264f63f47 because The peer sent a proxy ID that did not match the one in the SA config.

  2. Thank you for posting this. I have duplicated this configuration between a SSG-520 & MX400. I can see that the tunnel is active & up on both ends however I’m not able to pass traffic from either side. Any other suggestions or things to validate to troubleshoot?

    • Hi,

      can you ping IP’s on either side? if you can ping the IP’s but not the host names then it will be a DNS issue. You can also try changing the security levels to what is in this guide which is a basic setup to make sure they work and leave the IPSEC policies on the meraki as default. The last thing I can think of is to make sure you have enabled the following on the relevant settings on the juniper:

      IKE – Cisco Meraki only supports IKEv1
      Mode (Initiator): Only Main (ID Protection) will work with Meraki
      Proxy- ID Check: Tick this box
      Rekey- Tick this box

      Are you getting any errors in the logs?

      Parm

  3. I had some issues getting working at first. On the Juniper side, we are running code firmware 6.3. I had to make a custom P2 proposal. (VPN->P2 Proposal).

    click New.
    Name (Meraki)
    Perfect Forward Secrecy (NO-PFS)
    Encapsulation (ESP)
    Encryption Algorithm (AES-CBC(128 Bits)
    Authentaitno Algorithm (SHA-1)
    Lifetime (28800)
    Sec (ticked)
    In Kbytes (0)

    Then I selected it in the AutoKey IKE and it started working correctly. You can leave the Meraki defaults and it should work. I think the key here is the Lifetime seconds.

  4. So I am having issues getting this going…

    Meraki side errors
    Non-Meraki / Client VPN negotiation msg: failed to get sainfo.
    Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1

    Juniper Error
    Phase 2: Initiated negotiations. <–never get past this.

    Meraki errors talk about:
    This can result from mismatched subnets in the IPsec tunnel definitions

    The Tunnel on juniper is 172.17.5.1/24
    The Tunnel on Meraki is 172.17.5.2/24

    Not sure where the error is coming from.

  5. So I am having issues getting this going…

    Juniper SSG550
    Merali Z1

    Meraki side errors
    Non-Meraki / Client VPN negotiation msg: failed to get sainfo.
    Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1

    Juniper Error
    Phase 2: Initiated negotiations. <–never get past this.

    Meraki errors talk about:
    This can result from mismatched subnets in the IPsec tunnel definitions

    The Tunnel on juniper is 172.17.5.1/24
    The Tunnel on Meraki is 172.17.5.2/24

    Not sure where the error is coming from.

    • Hi Mark,

      Can you check to see if the proposal’s on phase 2 match on the juniper and Meraki. It could be that there are multiple IPSEC Policies on the meraki for phase 2 and only one on the Juniper. If that is OK try the proxy ID’s.

      • With that I did make it more simple.
        Meraki
        Phase1 3des SHA1 Group2 28800
        Pase2 AES128 SHA1 PFS Off 28800

        Juniper
        Phase1 Method Preshare Group2 3des-cbc sha1 28800
        Phase2 no-pfs aes-cbc(128) Sha1 28800

        Juniper GW
        preshared key set
        Mode= Main
        Enable NAT “Checked”

        Juniper Autoike
        Proxy-ID Checked

        Meraki says, This can result from mismatched subnets.

        Is it the subnets on the “Private Subnets” on the VPN Peers or the “Main Subnet” for the local Networks

        • I too was completing P1, but getting stuck at P2 with the same “failed to get sainfo” error.

          Ticking Proxy-ID and setting the local/remote IP subnets on the Juniper side fixed it for me.

          note – I also set custom P2 proposals per Shawn Marchewka’s suggestion above. However, P2 was not completing until I enabled and defined the Proxy IDs.

Trackbacks/Pingbacks

  1. Cisco Meraki – allowing client VPN access to other (VPN) sites | The Blu Tree - […] The above two sites are connected to one another using the guide in my other post which can be…

Leave a Reply

Your email address will not be published. Required fields are marked *