I have a MG51 which is connected to MX95 WAN port4. I try to establish IPsec VPN to non-Meraki firewall but I can't get tunnel working. When MG IP addressing & NAT deployment mode is 'Routed', I can see MG providing IP address 172.31.128.x at MX WAN2 uplink (SFP+ is not installed to WAN2), but IPsec VPN is not established. Otherwise connection to MX works on this setting
When trying to use 'Passthrough' mode on MG, the MX95 WAN 2 uplink status is 'Failed'. and connection to MX is not working at all.
Why MG is not forwarding the IP address provided by the carrier to MX in 'Passthrough' mode?
There are a number of differences in configuration between Routed and passthrough modes on the MX:
"Secondary uplink cannot be used for Internet connectivity" - this can't be true since Meraki usecase shows that MG can be used for WAN failover.
for the DHCP: Dashboard states for Passtrhough mode: "This option can be used to disable the MG cellular gateway NAT. In this mode, the MG will forward the IP address provided by the carrier to a client behind it."
Cellular uplink: I'm not using cellular uplink on MX
"Why MG is not forwarding the IP address provided by the carrier to MX in 'Passthrough' mode?"
@alemabrahao I think the context is needed, I may be wrong, but I read it as the MG in passthrough mode:
When trying to use 'Passthrough' mode on MG, the MX95 WAN 2 uplink status is 'Failed'. and connection to MX is not working at all.
Why MG is not forwarding the IP address provided by the carrier to MX in 'Passthrough' mode?
It was not clear how the MX operated. I'm not a native English speaker, so the lack of details sometimes makes it difficult.
This is how connection is built.
WAN 1 is the primary uplink, but MG51 is connected directly to the MXs as a failover WAN.
The Non-Meraki VPN tunnel will only be established between the Active WAN interface and the configured non-Meraki VPN peer. Typically, the WAN1 interface is the Primary interface, and assuming it is up, it will be considered the active interface, and the Non-Meraki VPN tunnel will be established over WAN 1 only (Port 3) and not WAN2 (Port 4). The MX will try to establish the VPN tunnel to the Non-Meraki Peer if WAN1 fails or if WAN2 is the Primary connection. You can change which WAN interface is the Primary interface on the "Security & SD-WAN > Configure > SD-WAN & Traffic Shaping" Page.