Meraki

mrpackethead_

First as background,

I have a meraki network, where i have multiple 'very' remote sites, where my sites are connected via Starlink, which means i do not get a fixed IP address, and the address i have is CGNAT. My remote sites are spokes, (mx68) and my hub ( mx450 ) is at a datacneter and we have public address space. I need to provide access to some devices remotely. The Hub is in routed mode. It is ONLY attached via a single internet port.

I set up port forwarding, and everything works nicely.. as per the 1st drawing.

In order to make this, work i had to put this in routed mode. Forwarding is not avaialbe in concentrator mode.

Now the problem.

I now want to be able to create some IPSec tunnels to a non meraki peer outside of the network, from a server in our datacenter. to another server. ( see diagram ).

Routing is configured so that traffic for the remote network is fowarded to the MX450, and this was confirmed by doing a packet capture, and i can see the traffic arrive.

I have set up the Non Meraki Peer, but when i send traffic, the mx450 does not attempt to stand up the vpn. I do not see any activity in the logs. I can see the remote-peer attempting to intiate the vpn, ( captured packets ). It does nothing to respond.

I have to run this in routed mode, for the inbound port direct to to work

(a) Is the problem with the vpn, becuase there is only one interface. Will an non meraki Ipsec vpn work, if the traffic being ecnrypted is arrviing on the same interface as the the ipsec tunnel is going outbound?

(b) if this is the case, do I need to connect another interface between the Meraki, and my router. ( a so called internal interface?

alemabrahao

From what I understand, you are trying to configure the tunnel only with the correct HUB?

In practice, it should work, there are no limitations. Have you managed to capture packets on the WAN interface of the MX?

See the troubleshooting guide.

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

mrpackethead_

The ipsec tunnel needs to be created between my MX450 and the non meraki Peer, in someone elses network. The traffic of interest comes from the server shown in the diagram, going to the other server behind the non merkai peer.

When i do a packet capture, i can see packets from the server arriving at the MX450. I can also see the remote-peer attempting to intiate the vpn. The MX however does nothign.

Meraki support has told me that this wont' work, the inbound traffic needs to be on a differnet interface, OR the device needs to be in one armed/concentrator mode.

cmr

Is the device not in one armed mode already? You state that only one port is connected, presumably WAN1.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

mrpackethead_

No the device is not in one armed mode. Yes, only one port ( Wan1 ) is connected.

running in one armed mode, means that Port Forwarding, and several other important and useful features no longer available.

cmr

Then I think you can't do what you want here.

To me it looks like you are trying to connect an IPSEC tunnel over the WAN (quite normal), to a device on the WAN.

Out of interest does port forwarding work as I'd have thought that would only forward WAN presented ports (as you have), to LAN devices, whereas you only have WAN devices.

If my answer solves your problem please click Accept as Solution so others can benefit from it.

mrpackethead_

Port forwarding works, and so does forwarding my traffic from the merkai vpn to my local servers and to up to cloud. ( connectiions off the router in the diagram ). The only thing i can't make work, is trying to get a vpn up to a non meraki vpn.

PhilipDAth

Personally, I would deploy StorngSwan on Ubuntu at your hub location (because it is free and excellent). Build the IPSEC VPN from that to StrongSwan. Then StrongSwan and your hub MX only need static routes between each other.

Failing that, I would buy and run a Cisco vASA at your hub location.

Another option would be to buy something like an MX67, run it in VPN concentrator mode, and ask the remote party to host it at their location. They could then add a static route on their firewall to the MX and treat it like an MPLS WAN router.

Failing that, you could buy a little Cisco Firepower 1010 with ASA software and put it at your hub, and dedicate it to terminate non-Meraki VPNs. You would have static routes between your MX and Firepower.

No matter which solution you choose, my recommendation is to use an additional device (either virtual or physical).

mrpackethead_

Some good ideas there Phillip.
I have a very capable router ( 8500-12X ) and i could run ipsec vpns off there, however That router is right out on the edge and i dont' want to be sending unencrypted data to it.

Putting the small appliance on the other end, unlikely to be able to happen. In some circumstances it would be a good idea.

Running StrongSwan is an easy enough idea for me as well, I have spare capacity at the datacenter and can spin up some mroe virtual machines.

I was thinking of creating additional interfaces on teh MX450's, but that does add some complexitys to the routing, that can be avoided with Strong Swan. I only have a small number of VPN's.. its and easy idea.

Meraki

Community

IPsec Tunnels not establishing to Non Meraki Peers.

IPsec Tunnels not establishing to Non Meraki Peers.