Hello community,
We have a couple of MX105 version 17.10.2, we have made a s2s ikev1 to HQ with a couple of 2120 firepower managed via fmc.
We using 17.10.2 because i have made a ticket but support they do collect data and tell me to try different firmware.
In meraki site i'm using a 192.168.40.0/21 subnetted into 8 /24 subnet nothing strange.
From the other site of tunnel i'm advertising one private 172.16.0.0/13.
At the moment i have enabled only 3 of the MX subnet into the tunnel.
Tunnel is up and i see all the child sa coming up to the firepower wen interesting traffic coming up.
Advertised subnet in MX is 192.168.40.0/24, 192.168.41.0/24 and 192.168.45.0/24
And now coming the problem.
From HQ i'm able to talk only with 192.168.40.0/24,192.168.41.0/24 and nothing to 192.168.45.0/24
Already from MX im able to talk from 192.168.40.0/24,192.168.41.0/24 to ip address behind subnet 172.16.0.0/13
My question is , is a limitation about number of subnet advertised from MX?
The only issue i see in the child sa when try to send icmp packet from mx vlan 192.168.45.0/24
access-list CSM_IPSEC_ACL_2 extended permit ip 172.16.0.0 255.248.0.0 192.168.40.0 255.255.248.0
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (172.16.0.0/255.248.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.45.0/255.255.255.0/0/0)
current_peer: 195.230.205.210
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
I have try already using Ikev2 without success it seams not build correctly the crypto map policy.
Nobody have made a sort of similar s2s with firepower or other appliance with success with more then two subnet advertised?
At this point any advice is welcome.
Thanks
Meraki Appliances build IPsec tunnels by sending out a request with a single traffic selector that contains all of the expected local and remote subnets. Certain vendors may not support allowing more than one local and remote selector in a given IPsec tunnel (e.g. ASA 5500-X series firewalls running certain firmware releases); for such cases, please use IKEv1 instead.
An MX-Z device will not try to form a VPN tunnel to a non-Meraki peer if it does not have any local networks advertised.
Hi alembrahao
thanks for advice.
yes i have read this with IKEv2 and we use IKEv1.
I will try to enable ALL subnet and come back with a feedback positive or not.
I have an S2S VPN announcing more than 2 subnets and It has been working well. Have you asked Meraki support?
Yep i have made a tiket with support but i'm entered in a sort of loop like the Miller planet in Interstellar , 1 minute 7 years.......😄
This morning same appears all working fine and this afternoon bye bye vlan 192.168.45.0/24 from HQ....
Very strange for a company Cisco like.
@alemabrahao has hit the nail on the head.
Except I believe the article is wrong - and IKEv1 and IKEv2 are equally affected by this issue. ASAs are definitely affected by this issue. I have not attempted to do this with Firepower.
If you just require a single VPN to HQ - I would personally by a Meraki Z3 (low cost), run in in VPN concentrator mode, and put it behind the Firepowers. The Firepowers just need a static route pointing to the Z3 then.
Simple. Reliable. Cheap.
The second option I would do (and have done many many times) to overcome this is to deploy Ubuntu on Strongswan in a virtual machine behind the main firewalls, and terminate the VPN on that. Strongswan can be configured to build the VPNs both ways.
An example that it compatible with MX is:
conn HQ
...
leftsubnet=10.x.x.x/24
leftid=x.x.x.x
right=x.x.x.x
rightsubnet=10.x.x.x/24
...
conn HQ-1
also=HQ
rightsubnet=10.x.x.x/24
conn HQ-2
also=HQ
rightsubnet=10.x.x.x/24
...