cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MG21 and MX64W - Site to Site Non Meraki and User VPN

SOLVED
Go to solution
PatrikStar
Here to help
‎07-16-2021 02:32 AM
‎07-16-2021 02:32 AM

MG21 and MX64W - Site to Site Non Meraki and User VPN

Hi!
 
I have an MX64W connected to MG21 via Internet Port on MX64W.
 
In the Org we have multiple MX64 and other MX-models.
But just this one MG21.
All sites (MX) are connected through VPN to an 3rd party FW in firewall for the edge gateway VmWare.
 
This works fine.
 
But our MG21 with MX64W dont want to connect.
I understand that its because the double NAT and I am pretty sure that our edge gateway dont support this.
So I thought that we could connect the MX64W with its MG21 to our Hub and then route it to our Edge Gateway.
But that doesn't work because the route already exist in the global Non Meraki VPN.
So now I am stuck.
 
I was also trying to activate so I could connect with User VPN to our new MX64W and it's MG21, but that doesn't work either.
I was trying to do port forward on the MG21 UDP 500 and UDP 1500 to our MX64W, put no luck there either.
 
Could anyone pls give me some pointers in both this cases?
1. MX64W with MG21 - Site to site VPN to Non Meraki edge gateway VmWare.
2. User VPN to MX64W with MG21.
0 Kudos
Subscribe
1 ACCEPTED SOLUTION
In response to Tariqmahmood
PatrikStar
Here to help
‎08-17-2023 02:05 PM
‎08-17-2023 02:05 PM

Yes, I got help from Meraki Support.
On the non meraki you had to add.
Peer ID must be the IP-address that the MX is getting from the MG.
For example: 172.31.128.4
Peer Endpoint must be the public IP-address that the MG gets.
 
And then you must add a portforwad on your MG to your MX.
Port 500 UDP
Port 4500 UDP

View solution in original post

Subscribe
6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal
‎07-16-2021 05:48 AM
‎07-16-2021 05:48 AM

Note sure what you route is.

But if you have for example 10.10.10.0/24

You could add on the hub 10.10.10.0/25 and 10.10.10.128/25. Then the spoke prefers the more specific routes

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎07-16-2021 03:01 PM
‎07-16-2021 03:01 PM

Many service providers have an APN with no NAT for firewalling.  See if your cellular provider offers this, and if so, change the MG21 to use that (will get rid of one layer of NAT).

 

The second option, this "edge gateway VMWare"; could you put an MX there as a VPN concentrator hub, and use Meraki's native AutoVPN functionality to provide the connectivity?  This would provide the most robust solution.  In this mode you put the hub behind an existing firewall.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

0 Kudos
Subscribe
In response to PhilipDAth
PatrikStar
Here to help
‎07-20-2021 01:25 AM
‎07-20-2021 01:25 AM

Hi!
 
I have a bunch of sites and one Hub-site.
 
Hub-site is 10.10.10.0/24
 
Then I have following Spoke-sites
Site 2: 10.10.111.0/24
Site 3: 10.10.112.0/24
Site 4: 10.10.113.0/24
And so on.... 
 
All sites are connected to our cloud-servers through a Non Meraki Site-to-Site VPN.
 
Cloud-servers are at 10.10.9.0/24
All Spoke-sites are connected to the Hub-site and can access the network there.
 
Our MG21-solution is on 10.10.124.0/24
This site can access the Hub-site but cannot establish a Non Meraki VPN to our Cloud.
 
I set Default route to Hub-site and then tried to add a route from Hub-site to 10.10.9.0/24 but it generated an error saying that 10.10.9.0/24 route is already in use by the Non Meraki VPN.
 
I guess I should have done my homework before ordering this product.
 
Maybe with a new SIM-card to remove the double NAT would solve it.
Or your solution with an VPN concentrator hub, even though that seems like overkill just to get one small site up and running.
Im not sure our Cloud would approve that.
 
Pretty stuck now.
0 Kudos
Subscribe
In response to PatrikStar
Tariqmahmood
Getting noticed
‎08-17-2023 09:40 AM
‎08-17-2023 09:40 AM

@PatrikStar were you able to solve above, connecting MG to non meraki peer in cloud? Can you share your experience

0 Kudos
Subscribe
In response to Tariqmahmood
PatrikStar
Here to help
‎08-17-2023 02:05 PM
‎08-17-2023 02:05 PM

Yes, I got help from Meraki Support.
On the non meraki you had to add.
Peer ID must be the IP-address that the MX is getting from the MG.
For example: 172.31.128.4
Peer Endpoint must be the public IP-address that the MG gets.
 
And then you must add a portforwad on your MG to your MX.
Port 500 UDP
Port 4500 UDP
Subscribe
In response to PatrikStar
Tariqmahmood
Getting noticed
‎08-18-2023 01:58 AM
‎08-18-2023 01:58 AM

can you please confirm, I am bit confuse about peer ID and peer endpoint at non meraki side.

here is the script i have used, The tunnel is up but it doesn't pass any traffic, after your reply i have added port forwarding rule at MG side, still not tested due to downtime not approved yet.

 

over here do i need to give 172.31.128.4?

 

crypto map CMAP1 40 ipsec-isakmp
set peer (public-IP of celleuar gateway)
set security-association lifetime seconds 28800
set transform-set VPN
set pfs group14
set isakmp-profile 4G-link-backup
match address Interesting_Traffic
reverse-route static

 

crypto isakmp profile 4G-link-backup
keyring tunnel-keyring-4G

match identity address (public-IP of celleuar gateway) 255.255.255.255
local-address 10.243.0.4

 

mode tunnel
crypto ipsec transform-set VPN esp-aes 256 esp-sha256-hmac

 

crypto keyring tunnel-keyring-4G
pre-shared-key address (public-IP of celleuar gateway) key xyz......

 

MG side: Is this ok?

Tariqmahmood_0-1692349026874.png

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2023 Meraki