Meraki

Community

IPSEC tunnel with non meraki VPN for MX85 warmspare with uplink from MG41

Tarmahmood1
Getting noticed
‎Aug 17 2023 6:30 AM
‎Aug 17 2023 6:30 AM

IPSEC tunnel with non meraki VPN for MX85 warmspare with uplink from MG41

Hello, We have a warmspare device MX85 connected to MG41. MX WAN IP is taken from MG41(IPv4 ip addressing and NAT), so on left side of pane we get the public IP info(which is the SIM IP) and on right side in uplink tab WAN2 we get the ip from MG41 which is private IP(as shown in screenshot). For primary we have ISP fiber link and we get public IP on uplink(not private) and created the ipsec tunnel to non-meraki(CSR1000). The tunnel works fine for primary, but for backup what IP should be used at peer side, I used public IP and the state of tunnel was UP-Idle(UI) at CSR side.

 

Should i set peer (public IP) or (private IP 172.31.128.4) in my case or need to add private subnet from MG into interesting traffic

 

Tariqmahmood_0-1692278475797.png

 

config at CSR

 

crypto map tunnel 40 ipsec-isakmp
set peer (publicIP) or 172.31.128.4
set security-association lifetime seconds 28800
set transform-set VPN-tunnel
set pfs group14
set isakmp-profile VPN-tunnel-R02
match address Interesting_Traffic

0 Kudos
1 Reply 1
KarstenI
Kind of a big deal
Kind of a big deal
‎Aug 17 2023 6:49 AM
‎Aug 17 2023 6:49 AM

The peer IP is always the IP that is valid on the internet which is the public IP. The NAT device (MG) has to forward the traffic correctly to the VPN endpoint.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.