Meraki

Community

IPsec Tunnel Not Establishing

Solved
athan1234
A model citizen
‎Apr 3 2025 11:48 PM
‎Apr 3 2025 11:48 PM

IPsec Tunnel Not Establishing

've spent two weekends trying to resolve this issue, so I want to give you some context.

The goal is to establish an IPsec tunnel between two Meraki devices.

One Meraki is located at our headquarters, and the other is at a client's site. The purpose of this tunnel is for monitoring.

The issue seems to be on the infrastructure at our HQ. There are two FortiGate firewalls—one handling LAN traffic and the other WAN. The WAN firewall uses VDOMs and has multiple NATs configured. I suspect the IPsec VPN isn't coming up due to something related to the provider's router—maybe it's not operating in transparent mode?

Any ideas? Meraki’s event logs don’t show any helpful troubleshooting information.

0 Kudos
1 Accepted Solution
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 9 2025 4:41 AM
‎May 9 2025 4:41 AM

I understand, in this case the only option I see would be to check with the ISP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

17 Replies 17
DarrenOC
Kind of a big deal
Kind of a big deal
‎Apr 4 2025 12:06 AM
‎Apr 4 2025 12:06 AM

What are your wireshark logs showing you?  Do you see traffic at either end being blocked/dropped?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
athan1234
A model citizen
‎Apr 4 2025 12:15 AM
‎Apr 4 2025 12:15 AM

If I do the packet capture on the customer side, I don't get anything

 

athan1234_1-1743750912080.png

 

 

 

athan1234_0-1743750821609.png

 

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Apr 4 2025 12:38 AM
‎Apr 4 2025 12:38 AM

Have you sniffed on the WAN port rather than the vpn?  The tunnel needs to establish first.

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
In response to DarrenOC
athan1234
A model citizen
‎Apr 4 2025 1:27 AM
‎Apr 4 2025 1:27 AM

where in my custumer side or my side 

0 Kudos
ChrisJ2
Meraki Employee
Meraki Employee
‎Apr 4 2025 2:01 AM
‎Apr 4 2025 2:01 AM

Hi, 

 

Assuming the MXs are in different dashboard Organizations, then this would be treated as a non-Meraki VPN.

 

I would suggest a packet capture on the Primary WAN (Internet) interface on both sides, filtering for the public IP of each remote appliance:

 

ChrisJ2_1-1743757560950.png

 

(so, from your site, x.x.x.x would be the Public IP of your Customer's MX and vice-versa)

 

Then you will be able to verify if ISAKMP traffic is being sent from /reaching either side.

 

If there is another firewall upstream, ensure UDP 500 and 4500 is allowed to and from the remote side.

 

If you are using IKEV2, please understand these settings, especially the local and remote ID fields, if either side is behind NAT.

The event log can also be a useful source of information.

If you need further assistance, please do not hesitate to open a Support case, we are here to help! 😊

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
In response to ChrisJ2
athan1234
A model citizen
‎Apr 4 2025 2:19 PM
‎Apr 4 2025 2:19 PM

Hi, thanks for your reply. I did the packet capture on both sides - the host with public IP and the other side - and I did not have any traffic

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 4 2025 4:11 AM
‎Apr 4 2025 4:11 AM

Well, if nothing is getting to Meraki, it means that traffic is not even leaving the FortiGate, in this case, ensure that the NAT configuration on the FortiGate that handles WAN traffic is correctly configured to allow IPsec traffic. This includes ensuring that UDP ports 500 and 4500 are open and forwarded correctly.

 

I would start by troubleshooting the Fortigate side to make sure the traffic is being routed correctly.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
athan1234
A model citizen
‎Apr 4 2025 2:22 PM
‎Apr 4 2025 2:22 PM

So what is your idea, how can I do it? The VPN is a tunnel and first I should establish the IPsec tunnel on the Meraki, or maybe I am wrong and I must check the FortiGate. Any idea for doing it? If on the customer side, they do a tracert or ping against public IP on the other side, the FortiGate receives the reply, but I can't see any traffic on port 4500 and 500 UDP. On the other hand, I can see traffic for other public IPs, but I can't see it for that specific IP

0 Kudos
athan1234
A model citizen
‎Apr 7 2025 12:16 AM
‎Apr 7 2025 12:16 AM

any idea?

 

0 Kudos
ChrisJ2
Meraki Employee
Meraki Employee
‎Apr 7 2025 8:06 AM
‎Apr 7 2025 8:06 AM

You will need to send "interesting traffic" (ie: a continuous ping) from a device behind the MX in one of the exported subnets, toward a device in a subnet behind the remote peer that is participating in the VPN to bring up the tunnel.  You should then at least see ISAKMP initiator requests egressing the MX WAN interface. you can verify with a capture on the internet interface of the MX. These would be UDP packets toward the remote peer public IP on port 500 or 4500. If you are using a PPPoE uplink, the filtered capture would be blank unless you filter for "pppoes and host x.x.x.x"

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
athan1234
A model citizen
‎May 9 2025 3:12 AM
‎May 9 2025 3:12 AM

 

Hi again,

Is it possible to configure the Meraki in "like indicator" mode? I would like to perform the initial setup with a FortiGate device. However, I can't find the "Non-Meraki peer" option—only the IPSec VPN option is visible.

My concern is that the Meraki device receives a private IP address on its WAN interface, and I suspect there might be an issue on the provider's side with UDP port 500. It's quite difficult to contact the provider to either set the router to bridge mode or to forward port 500 to the private IP.

Current setup:

  • Public IP: 81.x.x.x.x

  • Hostname: 56.red-81--tde.net

  • WAN 1 Settings:

    • Type: IPv4 Dynamic

    • Status: Active

    • IP Address: 192.168.1.37

    • Gateway: 192.168.1.1

    • DNS: 80.x.x.x, 80.x.x.x

    • IPv6: Auto (Stateless), Not Active

Given this, I’d like to know if I can configure the FortiGate with a dynamic  and specify a set local ID, and still get the VPN tunnel to work.

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 9 2025 4:12 AM
‎May 9 2025 4:12 AM

Hello

Unfortunately, it is not possible, when in doubt about Fortigate it would be interesting to check with their community.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
athan1234
A model citizen
‎May 9 2025 4:18 AM
‎May 9 2025 4:18 AM

Okay, but could you confirm if it is possible to change the setup in Meraki so that the router is in NAT mode? Also, how can I know if the Meraki router is blocking UDP port 500 for the IPsec tunnel

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 9 2025 4:22 AM
‎May 9 2025 4:22 AM

Meraki devices do not have a "like indicator" mode, but you can set up a non-Meraki VPN peer.

To find out if Meraki is blocking you can check the Meraki logs, or even check if there is a rule that is configured to block port 500, which I personally find difficult since Meraki by default allows everything, unless you have explicitly created a rule.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
athan1234
A model citizen
‎May 9 2025 4:30 AM
‎May 9 2025 4:30 AM

yes, I know that Meraki allows all traffic. The problem is that the provider's router is not in bridge mode. If you look, the communication goes through a private IP (the default gateway router). It's possible that the provider doesn't have port forwarding configured and is not allowing . . 

0 Kudos
In response to athan1234
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 9 2025 4:41 AM
‎May 9 2025 4:41 AM

I understand, in this case the only option I see would be to check with the ISP.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
athan1234
A model citizen
‎Jun 26 2025 8:03 AM
‎Jun 26 2025 8:03 AM

was solved the problem was in the provaider 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.