Digitalisierungsbox: bintec elmeg / german telekom in combination with an Meraki MX67 - NO VPN

SOLVED
Cybertron
Here to help

Digitalisierungsbox: bintec elmeg / german telekom in combination with an Meraki MX67 - NO VPN

Hello everyone,

 

I could really need some help of the community.

 

We just setup our new Meraki network including a MX67W. Everything works fine. The only issue we have that we cannot VPN into our network what we urgently need to.

 

We have a Digitalisierungsbox: bintec elmeg / german telekom which we can't use as bridge because it's connected to a phone system which won't work if the modem / router would be in bridge mode.

 

We tried really everything. I also wrote an post in the support community of the german Telekom.

 

It would be really cool if someone might would have an idea in what we were doing wrong. We gave up after 16 h of trying.

 

https://telekomhilft.telekom.de/t5/Telefonie-Internet/Digitalisierungsbox-Passthrough-Portweiterleit...

 

1 ACCEPTED SOLUTION
mdo
Conversationalist

Try forwarding all ports (exposed host)

 

http://faq.bintec-elmeg.com/index.php?title=Einrichten_eines_"Exposed_Host"

 

Does your provider use DS-Lite? Do you have a static IP V4?

 

 

 

 

View solution in original post

26 REPLIES 26
ww
Kind of a big deal
Kind of a big deal

We did. But the "telekom Digitalisierungsbox" does not want to forward all the traffic to the MX. We really tried everything.

 

Concerning to all tutorials we could found we had to create NAT Groups UDP 500, UDP 4500, AH, ESP. Create a ip address range für the device and set a rule in the device's firewall for IP Groups but nothing.

 

Like we can ping our meraki address but we can not connect.

 

We also just can't add the modem as bridge...

ww
Kind of a big deal
Kind of a big deal

So you connect to the public wan ip. And you dont see any logging in the meraki event log?

Or try make a packet capture  on the meraki internet interface to see if you have packets on "port 500" or "port4500" when you connect the vpn

Bildschirmfoto 2022-03-27 um 11.43.34.png

Cybertron
Here to help

@ww sorry if I post something wrong. I'm new to all of the meraki stuff.

KarstenI
Kind of a big deal
Kind of a big deal

A couple of things:

  1. You don't need to forward AH and ESP, that is wrong on the mentioned video.
  2. IPSec needs to be disabled on the box if you only have one IP address. It can only be processed on the box *or* forwarded to the next device.
  3. This is the documentation to the packet capture: https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...
    Capture on the internet port of the MX and use the filter "port 500" to filter out everything that is not needed as a first step.
  4. You could also try to forward TCP/443 on the box and use AnyConnect on the MX. It's anyway the better VPN-implementation.

 

Iirc, I couldn't get ClientVPN to work until I forwarded/allowed GRE traffic to my MX. Perhaps, that's it?

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Could it be that you confuse that with a PPTP setup? There is no GRE in L2TP/IPsec forwarding.

Honestly, I'm a bit unsure. I just know that my CPE wouldn't forward any traffic to my MX at home, unless I explicitly allowed GRE traffic. I was confused as well.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
mdo
Conversationalist

Try forwarding all ports (exposed host)

 

http://faq.bintec-elmeg.com/index.php?title=Einrichten_eines_"Exposed_Host"

 

Does your provider use DS-Lite? Do you have a static IP V4?

 

 

 

 

I think it's not DS-Lite. Before we used the Telekom DB für VPN with a Dyn account because we have a dynamic IP. I gonna try to implement to manual you send me.

I tried this method but it did not worked I even disabled IPSEC Still no luck!

MarcP
Kind of a big deal

As it seems to be very hard with the DB, did you try to use a lancom for example? 
Does your VPN work in general? I mean, did you try to establish a IPSec connection, when you use the MX behind a LTE Router for example? Just as a test.

 

Did the mentioned captures help you?

I can't switch to Lancom or something else because the DBs are connected to our phone system! I can't simply replace them or I will end up with out phone at work!

MarcP
Kind of a big deal

Ok, was just a thought... Think you would be able to configure a lancom with the same seetings and replace it when no one is working or due to a emergency downtime. Thats how I would do it.

 

What about to test the MX behind another Router? LTE as mentioned, for example?

What about the packet captures?

Maybe the DB is faulty? I remember I used a DB a couple of years ago as well and all worked fine, even without port forwarding.
Or maybe any outgoing ports blocked?

Bildschirmfoto 2022-03-28 um 11.06.26.png

 

Maybe I'm just pointing the wrong direction? Just from the logic I have to choose the interface WAN_DETAG Internet-Zugang 

MarcP
Kind of a big deal

As you mentioned all works fine so far - means your MX is online and connected to the meraki cloud, correct?

So it seems like you are connected correctly. 

Can you explain which settings these are on this screenshot? I know something on the DB, but what exactly?

 

I would have thought you just have the DB, connected the MX to one of the LAN ports of DB - forwarded 500/4500 to the MX (Lan Port or IP).

The whole Meraki networking is working fine! We Only can not use VPN at this point because of the German Telekom DB.

MarcP
Kind of a big deal

Sorry if I don´t get it, but as in my last post:

Can you explain which settings these are on this screenshot? I know something in the DB, but what exactly?

I would have thought you just have the DB, connected the MX to one of the LAN ports of DB - forwarded 500/4500 to the MX (Lan Port or IP).

 

And another time, what about the packetcaptures on MX regarding to the ports 500/4500 as @ww mentioned.

Network Wide - packet capture

Instead of wireshark you can view the output below as well.

MarcP_0-1648461290036.png

 

Bildschirmfoto 2022-03-28 um 12.09.18.png

MarcP
Kind of a big deal

As you cann see above, these are "sample filter expressions"

 

Assuming you do not have wireshark, (all on the left site) change output to "view output below" set the filter as mentioned in my screenshot ("port 4500" and/or "port 500" (ohne Anführungsstriche)) and hit start capture 

 

MarcP_0-1648463174313.png

 

 

As i don´t have a running IPSec Tunnel I cant show an example of the ouput.

 

But this one is without any filter expression (tempoary unused network at my site)

MarcP_2-1648463308655.png

 

 

Cybertron
Here to help

@MarcP 

 

The first was port 500 the second port 4500

 

Bildschirmfoto 2022-03-28 um 12.45.17.png

MarcP
Kind of a big deal

So really nothing is coming in... I´m wondering if there shouldn´t be at least some packets, trying to initiate the IPSec tunnel (?)

 

Can you show the portforwarding configuration of the ISP? Are you sure you managed to set up the IPSec parameters correctly on both sites?

KarstenI
Kind of a big deal
Kind of a big deal

As mentioned, when the capture was done while testing the connection, it has to be the port-forwarding on the DB.

Cybertron
Here to help

@mdo was pretty close to solve my issue.

 

- First with you have to turn off IPSec at the Digitalisierungsbox.

- At the same page you have to delete all previous IPSec Configurations.

- Then you can follow the tutorial @mdo posted.

- You can leave out the point Ausgehend

 

And then any MX will work with any Digitalisierungsbox of your choice 

 

MarcP
Kind of a big deal

Oh, you had configured an IPSec on the DB as well...

MX IPSec traffic was put into the DB IPSec tunnel. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels