07-31-2017 08:44 PM
We have a remote site connected behind ISP router and Meraki receives 192.168.X.X IP from it, and all networks locally are connected further to Meraki. The main site has public IP directly on the firewall. Not sure how to make configuration work.
07-31-2017 11:46 PM - edited 07-31-2017 11:51 PM
For S2S VPN use NAT-T function. Put the main site into the passive mode, so Meraki site always initiates a connection. This way you don't have to worry about port forwarding for 4500, 500 and ESP on the ISP router.
08-01-2017 12:25 AM
And you probably need to configure the internal IP of the meraki-device as remote identification on your firewall (or use a completely different ike identifier or the public IP on your meraki as local identifier)
08-03-2017 02:38 PM
I had enabled NAT-T but its not working. I get this error which point to the private WAN IP that Meraki has got.
"IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.20.101 (type ipaddr) does not match a configured IKE gateway"
Also enabling passive mode doesn't seem to work as i don't see any traffic from Meraki IP untill i disable it.
08-03-2017 02:45 PM
Did you read my post? This is the solution for your problem...
08-08-2017 02:27 PM
Did it work when you configure the private IP address as remote peed ID in the IKE gateway object on your paloalto?
08-16-2017 10:50 AM
Its configured as below with passive mode and NAT-T enabled.
192.168.20.101 is the IP on meraki external interface. which comnnects a 4G WIFI on its LAN. 4G WIFI itself gets a private IP from ISP and the at some point ISP NAT's the 4G private IP to a public IP
Logs
====> Initiated SA: X.X.X.131[500]-Y.Y.Y.245[4511] cookie:c4e0d99306433667:bd243bf0d0ae78cc <====
2017-08-16 10:18:11 [INFO]: received Vendor ID: RFC 3947
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2017-08-16 10:18:11 [INFO]: received Vendor ID: DPD
2017-08-16 10:18:11 [INFO]: Selected NAT-T version: RFC 3947
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #0 doesn't match
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #1 doesn't match
2017-08-16 10:18:11 [INFO]: NAT detected: ME PEER
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: Adding remote and local NAT-D payloads.
2017-08-16 10:18:11 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====
====> Established SA: X.X.X.131[4500]-Y.Y.Y.245[16212] cookie:c4e0d99306433667:bd243bf0d0ae78cc lifetime 28800 Sec <====
2017-08-16 10:19:05 [INFO]: IKE IPSEC KEY_DELETE recvd: SPI:0x2A30BF32.
08-16-2017 03:23 PM
Clearly, you are not getting P2 established. What do you have in the proxy id section on both peers?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
