site 2 site with Meraki NAT'd behind ISP router??

Reply
Highlighted
L4 Transporter

site 2 site with Meraki NAT'd behind ISP router??

We have a remote site connected behind ISP router and Meraki receives 192.168.X.X IP from it, and all networks locally are connected further to Meraki. The main site has public IP directly on the firewall. Not sure how to make configuration work. 

Highlighted
L6 Presenter

For S2S VPN use NAT-T function. Put the main site into the passive mode, so Meraki site always initiates a connection. This way you don't have to worry about port forwarding for 4500, 500 and ESP on the ISP router.

Highlighted
Cyber Elite

@raji_toor

And you probably need to configure the internal IP of the meraki-device as remote identification on your firewall (or use a completely different ike identifier or the public IP on your meraki as local identifier)

Highlighted
L4 Transporter

I had enabled NAT-T but its not working. I get this error which point to the private WAN IP that Meraki has got.

"IKE phase-1 negotiation is failed. Peer\'s ID payload 192.168.20.101 (type ipaddr) does not match a configured IKE gateway"

Also enabling passive mode doesn't seem to work as i don't see any traffic from Meraki IP untill i disable it.

Highlighted
Cyber Elite

@raji_toor

Did you read my post? This is the solution for your problem...

Highlighted
Cyber Elite

@raji_toor

Did it work when you configure the private IP address as remote peed ID in the IKE gateway object on your paloalto?

Highlighted
L4 Transporter

Its configured as below with passive mode and NAT-T enabled.

192.168.20.101 is the IP on meraki external interface. which comnnects a 4G WIFI on its LAN. 4G WIFI itself gets a private IP from ISP and the at some point ISP NAT's the 4G private IP to a public IP

Capture2.JPG

 

Logs

====> Initiated SA: X.X.X.131[500]-Y.Y.Y.245[4511] cookie:c4e0d99306433667:bd243bf0d0ae78cc <====
2017-08-16 10:18:11 [INFO]: received Vendor ID: RFC 3947
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2017-08-16 10:18:11 [INFO]: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2017-08-16 10:18:11 [INFO]: received Vendor ID: DPD
2017-08-16 10:18:11 [INFO]: Selected NAT-T version: RFC 3947
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #0 doesn't match
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: NAT-D payload #1 doesn't match
2017-08-16 10:18:11 [INFO]: NAT detected: ME PEER
2017-08-16 10:18:11 [INFO]: Hashing Y.Y.Y.245[4511] with algo #2
2017-08-16 10:18:11 [INFO]: Hashing X.X.X.131[500] with algo #2
2017-08-16 10:18:11 [INFO]: Adding remote and local NAT-D payloads.
2017-08-16 10:18:11 [PROTO_NOTIFY]: ====> PHASE-1 NEGOTIATION SUCCEEDED AS RESPONDER, MAIN MODE <====
====> Established SA: X.X.X.131[4500]-Y.Y.Y.245[16212] cookie:c4e0d99306433667:bd243bf0d0ae78cc lifetime 28800 Sec <====
2017-08-16 10:19:05 [INFO]: IKE IPSEC KEY_DELETE recvd: SPI:0x2A30BF32.

 

 

Highlighted
L6 Presenter

Clearly, you are not getting P2 established. What do you have in the proxy id section on both peers?

 

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_P...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!