Meraki

Community

IPsec Tunnel Traffic Failure After Migrating Firewall to Meraki MX105

Solved
lc-gabriellima
Comes here often
Tuesday
Tuesday

IPsec Tunnel Traffic Failure After Migrating Firewall to Meraki MX105

Hello everyone,

I need some help with the following scenario:
I have a network where a Linux server acts as the gateway and is connected to a switch. From that switch, traffic goes to my Meraki MX105, which then forwards it to the Internet. There’s also an IPsec tunnel between the Linux gateway and a remote network called “Urbana.”

Previously, I was using iptables on the Linux server as the firewall and the tunnel worked flawlessly. After migrating the firewall function to the MX105, the IPsec tunnel shows as UP, but no traffic is passing through it.

Has anyone encountered this issue or know what might be blocking the packets? Any suggestions would be greatly appreciated!

0 Kudos
1 Accepted Solution
JonoM
Meraki Employee
Meraki Employee
Wednesday
Wednesday

Hi @lc-gabriellima,

 

As mentioned above, port forwarding rules may be required in this instance to ensure that the appropriate IPSec VPN traffic is sent from the MX WAN interface to your internal Linux server. You can find more information about this on the linked documentation.

 

When you're taking packet captures, make sure that you take them from both the MX LAN interface and the Internet interface. Use a filter expression of 'host X.X.X.X' where X.X.X.X is the IP address of the remote VPN peer. If you see the traffic on both the LAN and Internet interface, then it means the MX is processing it correctly and sending it out, indicating that there could be an issue further upstream.

 

If you need additional assistance in reviewing the packet capture, you can always reach out to Meraki Support and open a case and we'll be happy to look over it in more detail.

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

View solution in original post

3 Replies 3
alemabrahao
Kind of a big deal
Tuesday
Tuesday

Try running a packet capture.

 

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Packet_Capture_Overvi...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
cmr
Kind of a big deal
Kind of a big deal
Wednesday
Wednesday

Is the IPSEC tunnel initiated at your end?

Do you have inbound forwarding to the Linux server for ports 500 and 4500?

Was the Linux server behind another firewall before, or direct on the internet?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
JonoM
Meraki Employee
Meraki Employee
Wednesday
Wednesday

Hi @lc-gabriellima,

 

As mentioned above, port forwarding rules may be required in this instance to ensure that the appropriate IPSec VPN traffic is sent from the MX WAN interface to your internal Linux server. You can find more information about this on the linked documentation.

 

When you're taking packet captures, make sure that you take them from both the MX LAN interface and the Internet interface. Use a filter expression of 'host X.X.X.X' where X.X.X.X is the IP address of the remote VPN peer. If you see the traffic on both the LAN and Internet interface, then it means the MX is processing it correctly and sending it out, indicating that there could be an issue further upstream.

 

If you need additional assistance in reviewing the packet capture, you can always reach out to Meraki Support and open a case and we'll be happy to look over it in more detail.

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.