Meraki

Community

Is it possible to establish a non-meraki VPN with the MX as responser ? (bi-directional)

blinked2579
Just browsing
3 weeks ago
3 weeks ago

Is it possible to establish a non-meraki VPN with the MX as responser ? (bi-directional)

Hello,

 

I think everything is in the question... i cannot find the answer in the documentation.

 

Is it possible to establish an IPSEC tunnel between some remote appliance (let's say a Fortigate) and the Meraki, with the Fortigate as initiator

 

Thanks

Labels:
0 Kudos
14 Replies 14
RWelch
A model citizen
3 weeks ago
3 weeks ago

IPSec.png

I believe you can use the default IPSec Policy.

Site-to-Site VPN Settings 

0 Kudos
blinked2579
Just browsing
3 weeks ago
3 weeks ago

Hello,

 

You are showing the predefined IPSec policies that configures the encryption algorithms, this is not answering my question. 

 

Thanks,

Arnaud

0 Kudos
In response to blinked2579
RWelch
A model citizen
3 weeks ago
3 weeks ago

Unfortunately I am not familiar with the Fortigate end of the equation but as long as the settings (or presets) match on both ends of the equation it should work.  Maybe you can step through the settings to verify they match.  

0 Kudos
In response to RWelch
blinked2579
Just browsing
3 weeks ago
3 weeks ago

The question is : which IP i'm supposed to put as a remote IP on the Fortigate side, the one that is seen as the WAN IP on the MX on the Meraki cloud ?

0 Kudos
In response to blinked2579
RWelch
A model citizen
3 weeks ago
3 weeks ago

Remote ID field (if that is what you are referring to): This optional field is to identify the remote peer. This is to be configured when the Local ID of the remote peer is anything other than its Public IP.

In response to RWelch
RWelch
A model citizen
3 weeks ago
3 weeks ago

Public IP or Hostname is usually the Dynamic DNS of the other appliance (at least it is in my configurations or setups).

0 Kudos
In response to RWelch
blinked2579
Just browsing
3 weeks ago
3 weeks ago

@RWelch I think we don't understand each other. The purpose of my question is to establish a tunnel between a non-meraki remote peer and a Meraki MX, but with the remote non-meraki as a dial-up and the Meraki as responder. Again my exemple:

 

Fortigate (dial-up) ---> Meraki (responder)

0 Kudos
In response to blinked2579
JonnyM
Getting noticed
3 weeks ago
3 weeks ago

Are you trying to say your Fortigate is on a dynamic IP and possibly behind NAT?

0 Kudos
In response to JonnyM
blinked2579
Just browsing
2 weeks ago
2 weeks ago

Hello @JonnyM 

 

On Fortigate side, the ISP router in front of it acts as a bridge and the Fortigate carries the public IPs directly. Details about the MX can be read below in my response to Roshan.

0 Kudos
RoshanS
Meraki Employee
Meraki Employee
3 weeks ago
3 weeks ago

Greetings,

 

There is no known caveat with Fortigate when it comes to tunnel negotiations but the MXen generally act as a responder with most peers so this should absolutely work. 

 

If a tunnel is down, then the MX can be forced to be an initiator by attempting to send over interesting traffic to the peer's subnet. 

 

If this does not seem to be the case or if it's not working as expected, please open a support case for further investigation. Please let us know if you have any questions. 

In response to RoshanS
blinked2579
Just browsing
2 weeks ago
2 weeks ago

Hello @RoshanS 

 

Thanks for the answer

 

In our case, the MX has a private IP on it's WAN interface, it is connected by a dedicated LAN to an ISP router that carries the public IP. We have no inside NAT/dNAT rules on the ISP router, only sNAT that permit the hub to reach the Meraki cloud.

 

We've tried to dNAT the ike trafic 500/4500 on the ISP router to the Meraki WAN IP (so a private IP), and it doesn't work. We have no logs on Meraki side and the traces on the ISP router shows no responses for the Meraki, like it drops the packets.

 

(Also I read somewhere - couldn't find where - that this is not a good practice to configure the ISP router as a bridge and make the Meraki carry the public IPs directly.)

 

Thanks

0 Kudos
AhmedBadawy
Comes here often
2 weeks ago
2 weeks ago

in your case, the MX has a private IP on it's WAN interface, it is connected by a dedicated LAN to an ISP router that carries the public IP. there is no inside NAT/dNAT rules on the ISP router, only sNAT that permit the hub to reach the Meraki cloud.

 

You have two possible options with ISP router.
Option 1: you will configure port forwarding for the VPN ports in the ISP router, so the Meraki can respond back. I deployed this solution in my home lab and it is operational.
This solution works fine for remote access VPN and Site-2-Site VPNs.

Option 2: You ask the ISP for a static IP subnet, and configure static one-for-one NAT in the ISP router for the Meraki outside private IP. the Meraki will act as it hosts the public IP of the NAT config in the ISP router.

I hope this helps.

0 Kudos
In response to AhmedBadawy
blinked2579
Just browsing
a week ago
a week ago

Hello @AhmedBadawy 

Thanks for the response

So in the solution 1, we forward the udp/500 & udp/4500 ports on the ISP router public IP to the MX WAN private IP ?

0 Kudos
In response to blinked2579
AhmedBadawy
Comes here often
a week ago
a week ago

Yes

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.