Solved! Go to Solution.
Note sure what you route is.
But if you have for example 10.10.10.0/24
You could add on the hub 10.10.10.0/25 and 10.10.10.128/25. Then the spoke prefers the more specific routes
Many service providers have an APN with no NAT for firewalling. See if your cellular provider offers this, and if so, change the MG21 to use that (will get rid of one layer of NAT).
The second option, this "edge gateway VMWare"; could you put an MX there as a VPN concentrator hub, and use Meraki's native AutoVPN functionality to provide the connectivity? This would provide the most robust solution. In this mode you put the hub behind an existing firewall.
can you please confirm, I am bit confuse about peer ID and peer endpoint at non meraki side.
here is the script i have used, The tunnel is up but it doesn't pass any traffic, after your reply i have added port forwarding rule at MG side, still not tested due to downtime not approved yet.
over here do i need to give 172.31.128.4?
crypto map CMAP1 40 ipsec-isakmp
set peer (public-IP of celleuar gateway)
set security-association lifetime seconds 28800
set transform-set VPN
set pfs group14
set isakmp-profile 4G-link-backup
match address Interesting_Traffic
crypto isakmp profile 4G-link-backup
match identity address (public-IP of celleuar gateway) 255.255.255.255
crypto ipsec transform-set VPN esp-aes 256 esp-sha256-hmac
crypto keyring tunnel-keyring-4G
pre-shared-key address (public-IP of celleuar gateway) key xyz......
MG side: Is this ok?