Is it possible to establish a non-meraki VPN with the MX as responser ? (bi-directional)

blinked2579
Just browsing

Is it possible to establish a non-meraki VPN with the MX as responser ? (bi-directional)

Hello,

 

I think everything is in the question... i cannot find the answer in the documentation.

 

Is it possible to establish an IPSEC tunnel between some remote appliance (let's say a Fortigate) and the Meraki, with the Fortigate as initiator

 

Thanks

14 Replies 14
RWelch
Head in the Cloud

IPSec.png

I believe you can use the default IPSec Policy.

Site-to-Site VPN Settings 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
blinked2579
Just browsing

Hello,

 

You are showing the predefined IPSec policies that configures the encryption algorithms, this is not answering my question. 

 

Thanks,

Arnaud

RWelch
Head in the Cloud

Unfortunately I am not familiar with the Fortigate end of the equation but as long as the settings (or presets) match on both ends of the equation it should work.  Maybe you can step through the settings to verify they match.  

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
blinked2579
Just browsing

The question is : which IP i'm supposed to put as a remote IP on the Fortigate side, the one that is seen as the WAN IP on the MX on the Meraki cloud ?

RWelch
Head in the Cloud

Remote ID field (if that is what you are referring to): This optional field is to identify the remote peer. This is to be configured when the Local ID of the remote peer is anything other than its Public IP.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
RWelch
Head in the Cloud

Public IP or Hostname is usually the Dynamic DNS of the other appliance (at least it is in my configurations or setups).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
blinked2579
Just browsing

@RWelch I think we don't understand each other. The purpose of my question is to establish a tunnel between a non-meraki remote peer and a Meraki MX, but with the remote non-meraki as a dial-up and the Meraki as responder. Again my exemple:

 

Fortigate (dial-up) ---> Meraki (responder)

JonnyM
Getting noticed

Are you trying to say your Fortigate is on a dynamic IP and possibly behind NAT?

blinked2579
Just browsing

Hello @JonnyM 

 

On Fortigate side, the ISP router in front of it acts as a bridge and the Fortigate carries the public IPs directly. Details about the MX can be read below in my response to Roshan.

RoshanS
Meraki Employee
Meraki Employee

Greetings,

 

There is no known caveat with Fortigate when it comes to tunnel negotiations but the MXen generally act as a responder with most peers so this should absolutely work. 

 

If a tunnel is down, then the MX can be forced to be an initiator by attempting to send over interesting traffic to the peer's subnet. 

 

If this does not seem to be the case or if it's not working as expected, please open a support case for further investigation. Please let us know if you have any questions. 

blinked2579
Just browsing

Hello @RoshanS 

 

Thanks for the answer

 

In our case, the MX has a private IP on it's WAN interface, it is connected by a dedicated LAN to an ISP router that carries the public IP. We have no inside NAT/dNAT rules on the ISP router, only sNAT that permit the hub to reach the Meraki cloud.

 

We've tried to dNAT the ike trafic 500/4500 on the ISP router to the Meraki WAN IP (so a private IP), and it doesn't work. We have no logs on Meraki side and the traces on the ISP router shows no responses for the Meraki, like it drops the packets.

 

(Also I read somewhere - couldn't find where - that this is not a good practice to configure the ISP router as a bridge and make the Meraki carry the public IPs directly.)

 

Thanks

AhmedBadawy
Comes here often

in your case, the MX has a private IP on it's WAN interface, it is connected by a dedicated LAN to an ISP router that carries the public IP. there is no inside NAT/dNAT rules on the ISP router, only sNAT that permit the hub to reach the Meraki cloud.

 

You have two possible options with ISP router.
Option 1: you will configure port forwarding for the VPN ports in the ISP router, so the Meraki can respond back. I deployed this solution in my home lab and it is operational.
This solution works fine for remote access VPN and Site-2-Site VPNs.

Option 2: You ask the ISP for a static IP subnet, and configure static one-for-one NAT in the ISP router for the Meraki outside private IP. the Meraki will act as it hosts the public IP of the NAT config in the ISP router.

I hope this helps.

blinked2579
Just browsing

Hello @AhmedBadawy 

Thanks for the response

So in the solution 1, we forward the udp/500 & udp/4500 ports on the ISP router public IP to the MX WAN private IP ?

AhmedBadawy
Comes here often

Yes

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels