IPsec Tunnel to VMware NSXv - Cant seeem to get it to work......

thomasthomsen
Head in the Cloud

IPsec Tunnel to VMware NSXv - Cant seeem to get it to work......

Im trying to setup a IPsec tunnel to a VMware NSXv but it fails.

We have tried IKEv1, IKEv2 but it just fails.

 

Has anyone ever tried to set this up ?

 

The config options are very limited in both ends (and the debugging options are horrible on the MX end), so we are kind of at a loss.

 

We think that it might be because the MX sends the configured nets as 3 packets (one for each net, proxy ID something), as to where the NSX sends one with all nets ?

 

Im at a loss....

 

/Thomas

 

4 REPLIES 4
RomanMD
Building a reputation

I have never tried with NSXv but I have tried to setup vpn between two mx in different organizations, so had to use 3rd party vpn. 

I had quite a challenge to make it work, until I have found that the Private subnets advertised by Meraki has to be specified exactly as it is configured on the box. 

 

If you have configured two /24 networks, you should specify in the "Private subnets" the same two networks, you can't supernet them as one /23.

 

Maybe this helps.

 

Well that part I kinda knew 🙂

 

Its just so strange.

We simply cannot get this to work.

Bruce
Kind of a big deal

Just looking back on your comment around the MX sending the subnets as three packets, and NSX expecting them as one, have you tried just a single subnet?

Yeah, sorry we cant do that in this network at the moment.

Because its already also running a IpSec to Azure (that works just fine 🙂 ).

 

And lets say that worked, what should we do then ?

I dont really see a workaround 😕, but perhaps Im missing something.

 

I have tried some packet capture, to see if I could troubleshoot the problem , but all I see is the 6 initial packets back and forth, and then just an information packet. Then it starts over.

 

/Thomas

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels