site 2 site with Meraki NAT'd behind ISP router??

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

site 2 site with Meraki NAT'd behind ISP router??

L4 Transporter

We have a remote site connected behind ISP router and Meraki receives 192.168.X.X IP from it, and all networks locally are connected further to Meraki. The main site has public IP directly on the firewall. Not sure how to make configuration work. 

7 REPLIES 7

L6 Presenter

For S2S VPN use NAT-T function. Put the main site into the passive mode, so Meraki site always initiates a connection. This way you don't have to worry about port forwarding for 4500, 500 and ESP on the ISP router.

@raji_toor

And you probably need to configure the internal IP of the meraki-device as remote identification on your firewall (or use a completely different ike identifier or the public IP on your meraki as local identifier)

I had enabled NAT-T but its not working. I get this error which point to the private WAN IP that Meraki has got.

"IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.20.101 (type ipaddr) does not match a configured IKE gateway"

Also enabling passive mode doesn't seem to work as i don't see any traffic from Meraki IP untill i disable it.

@raji_toor

Did you read my post? This is the solution for your problem...

@raji_toor

Did it work when you configure the private IP address as remote peed ID in the IKE gateway object on your paloalto?

Its configured as below with passive mode and NAT-T enabled.

192.168.20.101 is the IP on meraki external interface. which comnnects a 4G WIFI on its LAN. 4G WIFI itself gets a private IP from ISP and the at some point ISP NAT's the 4G private IP to a public IP

Capture2.JPG

 

Logs

====> Initiated SA: X.X.X.131[500]-Y.Y.Y.245[4511] cookie:c4e0d99306433667:bd243bf0d0ae78cc <====
2017-08-16 10:18:11 [INFO]: received Vendor ID: RFC 3947
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2017-08-16 10:18:11 [INFO]: received Vendor ID: DPD
2017-08-16 10:18:11 [INFO]: Selected NAT-T version: RFC 3947
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #0 doesn't match
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #1 doesn't match
2017-08-16 10:18:11 [INFO]: NAT detected: ME PEER
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: Adding remote and local NAT-D payloads.
2017-08-16 10:18:11 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====
====> Established SA: X.X.X.131[4500]-Y.Y.Y.245[16212] cookie:c4e0d99306433667:bd243bf0d0ae78cc lifetime 28800 Sec <====
2017-08-16 10:19:05 [INFO]: IKE IPSEC KEY_DELETE recvd: SPI:0x2A30BF32.

 

 

Clearly, you are not getting P2 established. What do you have in the proxy id section on both peers?

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_P...

  • 5847 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!