Hello everyone,
I could really need some help of the community.
We just setup our new Meraki network including a MX67W. Everything works fine. The only issue we have that we cannot VPN into our network what we urgently need to.
We have a Digitalisierungsbox: bintec elmeg / german telekom which we can't use as bridge because it's connected to a phone system which won't work if the modem / router would be in bridge mode.
We tried really everything. I also wrote an post in the support community of the german Telekom.
It would be really cool if someone might would have an idea in what we were doing wrong. We gave up after 16 h of trying.
Solved! Go to solution.
Try forwarding all ports (exposed host)
http://faq.bintec-elmeg.com/index.php?title=Einrichten_eines_"Exposed_Host"
Does your provider use DS-Lite? Do you have a static IP V4?
Did you forward the ports on the isp device to the mx wan IP?
We did. But the "telekom Digitalisierungsbox" does not want to forward all the traffic to the MX. We really tried everything.
Concerning to all tutorials we could found we had to create NAT Groups UDP 500, UDP 4500, AH, ESP. Create a ip address range für the device and set a rule in the device's firewall for IP Groups but nothing.
Like we can ping our meraki address but we can not connect.
We also just can't add the modem as bridge...
So you connect to the public wan ip. And you dont see any logging in the meraki event log?
Or try make a packet capture on the meraki internet interface to see if you have packets on "port 500" or "port4500" when you connect the vpn
A couple of things:
Iirc, I couldn't get ClientVPN to work until I forwarded/allowed GRE traffic to my MX. Perhaps, that's it?
Could it be that you confuse that with a PPTP setup? There is no GRE in L2TP/IPsec forwarding.
Honestly, I'm a bit unsure. I just know that my CPE wouldn't forward any traffic to my MX at home, unless I explicitly allowed GRE traffic. I was confused as well.
Try forwarding all ports (exposed host)
http://faq.bintec-elmeg.com/index.php?title=Einrichten_eines_"Exposed_Host"
Does your provider use DS-Lite? Do you have a static IP V4?
I think it's not DS-Lite. Before we used the Telekom DB für VPN with a Dyn account because we have a dynamic IP. I gonna try to implement to manual you send me.
I tried this method but it did not worked I even disabled IPSEC Still no luck!
As it seems to be very hard with the DB, did you try to use a lancom for example?
Does your VPN work in general? I mean, did you try to establish a IPSec connection, when you use the MX behind a LTE Router for example? Just as a test.
Did the mentioned captures help you?
I can't switch to Lancom or something else because the DBs are connected to our phone system! I can't simply replace them or I will end up with out phone at work!
Ok, was just a thought... Think you would be able to configure a lancom with the same seetings and replace it when no one is working or due to a emergency downtime. Thats how I would do it.
What about to test the MX behind another Router? LTE as mentioned, for example?
What about the packet captures?
Maybe the DB is faulty? I remember I used a DB a couple of years ago as well and all worked fine, even without port forwarding.
Or maybe any outgoing ports blocked?
Maybe I'm just pointing the wrong direction? Just from the logic I have to choose the interface WAN_DETAG Internet-Zugang
As you mentioned all works fine so far - means your MX is online and connected to the meraki cloud, correct?
So it seems like you are connected correctly.
Can you explain which settings these are on this screenshot? I know something on the DB, but what exactly?
I would have thought you just have the DB, connected the MX to one of the LAN ports of DB - forwarded 500/4500 to the MX (Lan Port or IP).
The whole Meraki networking is working fine! We Only can not use VPN at this point because of the German Telekom DB.
Sorry if I don´t get it, but as in my last post:
Can you explain which settings these are on this screenshot? I know something in the DB, but what exactly?
I would have thought you just have the DB, connected the MX to one of the LAN ports of DB - forwarded 500/4500 to the MX (Lan Port or IP).
And another time, what about the packetcaptures on MX regarding to the ports 500/4500 as @ww mentioned.
Network Wide - packet capture
Instead of wireshark you can view the output below as well.
As you cann see above, these are "sample filter expressions"
Assuming you do not have wireshark, (all on the left site) change output to "view output below" set the filter as mentioned in my screenshot ("port 4500" and/or "port 500" (ohne Anführungsstriche)) and hit start capture
As i don´t have a running IPSec Tunnel I cant show an example of the ouput.
But this one is without any filter expression (tempoary unused network at my site)
So really nothing is coming in... I´m wondering if there shouldn´t be at least some packets, trying to initiate the IPSec tunnel (?)
Can you show the portforwarding configuration of the ISP? Are you sure you managed to set up the IPSec parameters correctly on both sites?
As mentioned, when the capture was done while testing the connection, it has to be the port-forwarding on the DB.
@mdo was pretty close to solve my issue.
- First with you have to turn off IPSec at the Digitalisierungsbox.
- At the same page you have to delete all previous IPSec Configurations.
- Then you can follow the tutorial @mdo posted.
- You can leave out the point Ausgehend
And then any MX will work with any Digitalisierungsbox of your choice
Oh, you had configured an IPSec on the DB as well...
MX IPSec traffic was put into the DB IPSec tunnel.