Meraki

wrespawn · ‎Nov 2 2017

I am trying out a MX64 and I have a VPN I need to establish between the MX and a Sonicwall TZ600. I found this link to create the tunnel but I noticed on the Sonicwall side I had to specify a specific Primary Gateway Address in order to use a Main Mode exchange proposal. Since a lot of my clients receive an IP from the ISP's DHCP pool it is very possible that the IP will change if the MX gets restarted. The same goes with using the WAN IP Address as the IKE ID. Does anyone know if there are instructions on setting up a tunnel where I can have 0.0.0.0 on the sonicwall side as the IPSEC Primary Gateway to accommodate DHCP WAN IPs?

Thank you.

PhilipDAth · ‎Nov 2 2017

I think the Meraki's will only present a peer ID - so any other option (like domain) will fail.

I don't think you are going to get this working if you have to specify a peer ID.

The only solution will be to change everything across to using a static IP address - or put in a Meraki head end beside the SonicWall.

View solution in original post

PhilipDAth · ‎Nov 2 2017

Does the SonicWall allow you to use a DNS entry for the remote peer address? If so, then use the DDNS entry that is generate for the Meraki device.

wrespawn · ‎Nov 2 2017

Thank you, that's a great idea and it does fix the "IPsec Primary Gateway Name or Address" issue but unfortunately I still need an IP address for "Peer IKE ID" if the requirements demand it. I'm going to try and leave these fields blank even though the instructions say to fill them in. If that doesn't work maybe I'll try using "domain name" instead of "ipv4 address" as the option but again not sure what domain name it is asking for so it'll be trial and error.

PhilipDAth · ‎Nov 2 2017

I think the Meraki's will only present a peer ID - so any other option (like domain) will fail.

I don't think you are going to get this working if you have to specify a peer ID.

The only solution will be to change everything across to using a static IP address - or put in a Meraki head end beside the SonicWall.

wrespawn · ‎Nov 15 2017

Thanks for your reply. I opened a ticket with Meraki to see if there's another way. I completely understand what you're saying so we'll have to see if there's an option we may have not considered. Thank you for taking the time to respond.

wrespawn · ‎Nov 15 2017

Final Update from the ticket I submitted:

Thank you for reaching out to Cisco Meraki Technical support.

From what I understand from your question, that is correct that if the IP addresses from the ISPs change you do need to update them on the Meraki Manually.
Had this been Meraki auto VPN, the changes in the IPs on the tunnel would've happened automatically.
If you want to allow this tunnel connection for Meraki devices to connect to the VPN without the "head end", you can put the MXs in the passthrough mode.
This will allow the MXs to still retain its content filtering and firewall rule capabilities without actually performing any NAT on its own.
With this setting, you can even put a sonicwall firewall ahead of the MX for the VPN purposes

Thank you

R_Westmoreland · ‎Aug 6 2019

I know this is an old post, but to get this to work, you would need to put the Private IP given by your provider in the Peer IKE ID field in the SonicWall.

wrespawn · ‎Aug 6 2019

Thanks for this. I'm going to try this out and see if it works.

Meraki

Community

Another Sonicwall VPN question.

Another Sonicwall VPN question.