topic Re: site 2 site with Meraki NAT'd behind ISP router?? in General Topics

site 2 site with Meraki NAT'd behind ISP router??

raji_toor — Tue, 01 Aug 2017 03:44:08 GMT

We have a remote site connected behind ISP router and Meraki receives 192.168.X.X IP from it, and all networks locally are connected further to Meraki. The main site has public IP directly on the firewall. Not sure how to make configuration work.

Re: site 2 site with Meraki NAT'd behind ISP router??

TranceforLife — Tue, 01 Aug 2017 06:51:19 GMT

For S2S VPN use NAT-T function. Put the main site into the passive mode, so Meraki site always initiates a connection. This way you don't have to worry about port forwarding for 4500, 500 and ESP on the ISP router.

Re: site 2 site with Meraki NAT'd behind ISP router??

Remo — Tue, 01 Aug 2017 07:25:05 GMT

@raji_toor

And you probably need to configure the internal IP of the meraki-device as remote identification on your firewall (or use a completely different ike identifier or the public IP on your meraki as local identifier)

Re: site 2 site with Meraki NAT'd behind ISP router??

raji_toor — Thu, 03 Aug 2017 21:38:54 GMT

I had enabled NAT-T but its not working. I get this error which point to the private WAN IP that Meraki has got.

"IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.20.101 (type ipaddr) does not match a configured IKE gateway"

Also enabling passive mode doesn't seem to work as i don't see any traffic from Meraki IP untill i disable it.

Re: site 2 site with Meraki NAT'd behind ISP router??

Remo — Thu, 03 Aug 2017 21:45:01 GMT

@raji_toor

Did you read my post? This is the solution for your problem...

Re: site 2 site with Meraki NAT'd behind ISP router??

Remo — Tue, 08 Aug 2017 21:27:28 GMT

@raji_toor

Did it work when you configure the private IP address as remote peed ID in the IKE gateway object on your paloalto?

Re: site 2 site with Meraki NAT'd behind ISP router??

raji_toor — Wed, 16 Aug 2017 17:50:34 GMT

Its configured as below with passive mode and NAT-T enabled.

192.168.20.101 is the IP on meraki external interface. which comnnects a 4G WIFI on its LAN. 4G WIFI itself gets a private IP from ISP and the at some point ISP NAT's the 4G private IP to a public IP

Logs

====> Initiated SA: X.X.X.131[500]-Y.Y.Y.245[4511] cookie:c4e0d99306433667:bd243bf0d0ae78cc <====
2017-08-16 10:18:11 [INFO]: received Vendor ID: RFC 3947
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2017-08-16 10:18:11 [INFO]: received Vendor ID: DPD
2017-08-16 10:18:11 [INFO]: Selected NAT-T version: RFC 3947
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #0 doesn't match
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #1 doesn't match
2017-08-16 10:18:11 [INFO]: NAT detected: ME PEER
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: Adding remote and local NAT-D payloads.
2017-08-16 10:18:11 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====
====> Established SA: X.X.X.131[4500]-Y.Y.Y.245[16212] cookie:c4e0d99306433667:bd243bf0d0ae78cc lifetime 28800 Sec <====
2017-08-16 10:19:05 [INFO]: IKE IPSEC KEY_DELETE recvd: SPI:0x2A30BF32.

Re: site 2 site with Meraki NAT'd behind ISP router??

TranceforLife — Wed, 16 Aug 2017 22:23:51 GMT

Clearly, you are not getting P2 established. What do you have in the proxy id section on both peers?

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Peers