Enabling more than 2 subnet in vpn s2s not meraki.

Luca1
Comes here often

Enabling more than 2 subnet in vpn s2s not meraki.

Hello community,

We have a couple of MX105 version 17.10.2, we have made a s2s ikev1 to HQ with a couple of 2120 firepower managed via fmc.

We using 17.10.2 because i have made a ticket but support they do collect data and tell me to try different firmware. 

In meraki site i'm using a 192.168.40.0/21 subnetted into 8 /24 subnet nothing strange.

From the other site of tunnel i'm advertising one private 172.16.0.0/13.

At the moment i have enabled only 3 of the MX subnet into the tunnel.

Tunnel is up and i see all the child sa coming up to the firepower wen interesting traffic coming up.

Advertised subnet in MX is 192.168.40.0/24, 192.168.41.0/24 and 192.168.45.0/24

And now coming the problem.

From HQ i'm able to talk only with 192.168.40.0/24,192.168.41.0/24 and nothing to 192.168.45.0/24

Already from MX im able to talk from 192.168.40.0/24,192.168.41.0/24 to ip address behind subnet 172.16.0.0/13

My question is , is a limitation about number of subnet advertised from MX?

 

The only issue i see in the child sa when try to send icmp packet from mx vlan 192.168.45.0/24

access-list CSM_IPSEC_ACL_2 extended permit ip 172.16.0.0 255.248.0.0 192.168.40.0 255.255.248.0
Protected vrf (ivrf):
local ident (addr/mask/prot/port): (172.16.0.0/255.248.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.45.0/255.255.255.0/0/0)
current_peer: 195.230.205.210


#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 29, #pkts decrypt: 29, #pkts verify: 29
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

 

I have try already using Ikev2 without success it seams not build correctly the crypto map policy.

 

Nobody have made a sort of similar s2s with firepower or other appliance with success with more then two subnet advertised?

 

At this point any advice is welcome.

Thanks 

5 REPLIES 5
alemabrahao
Kind of a big deal
Kind of a big deal

NOTE For IKEv2

Meraki Appliances build IPsec tunnels by sending out a request with a single traffic selector that contains all of the expected local and remote subnets. Certain vendors may not support allowing more than one local and remote selector in a given IPsec tunnel (e.g. ASA 5500-X series firewalls running certain firmware releases); for such cases, please use IKEv1 instead. 

An MX-Z device will not try to form a VPN tunnel to a non-Meraki peer if it does not have any local networks advertised.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Hi alembrahao

thanks for advice.

yes i have read this with IKEv2 and we use IKEv1.
I will try to enable ALL subnet and come back with a feedback positive or not. 

alemabrahao
Kind of a big deal
Kind of a big deal

I have an S2S VPN announcing more than 2 subnets and It has been working well. Have you asked Meraki support?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Yep i have made a tiket with support but i'm entered in a sort of loop like the Miller planet in Interstellar , 1 minute 7 years.......😄

 

This morning same appears all working fine and this afternoon bye bye vlan 192.168.45.0/24 from HQ....
Very strange for a company Cisco like.

@alemabrahao has hit the nail on the head.

 

Except I believe the article is wrong - and IKEv1 and IKEv2 are equally affected by this issue.  ASAs are definitely affected by this issue.  I have not attempted to do this with Firepower.

 

If you just require a single VPN to HQ - I would personally by a Meraki Z3 (low cost), run in in VPN concentrator mode, and put it behind the Firepowers.  The Firepowers just need a static route pointing to the Z3 then.

Simple.  Reliable.  Cheap.

 

The second option I would do (and have done many many times) to overcome this is to deploy Ubuntu on Strongswan in a virtual machine behind the main firewalls, and terminate the VPN on that.  Strongswan can be configured to build the VPNs both ways.

An example that it compatible with MX is:

 

conn HQ

...

 leftsubnet=10.x.x.x/24
 leftid=x.x.x.x
 right=x.x.x.x
 rightsubnet=10.x.x.x/24

...

conn HQ-1
 also=HQ
 rightsubnet=10.x.x.x/24
conn HQ-2
 also=HQ
 rightsubnet=10.x.x.x/24

...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels