MX 15+ firmware with AWS native VPN - What to use for the Remote ID?

jguidali
Just browsing

MX 15+ firmware with AWS native VPN - What to use for the Remote ID?

As you are probably aware, since MX 15 establishing site-to-site VPNs with non-Meraki peers (sometimes) requires entering the Remote ID of the peer - release notes noted below:

 

Due to underlying changes present in MX 15, MX appliances will now strictly validate the remote ID parameter during VPN tunnel formation. If you notice issues with non-Meraki VPN tunnel connectivity after upgrading to MX 15 for the first time, please ensure the remote ID configured in the site-to-site VPN page for a given non-Meraki peer matches what is configured as the local ID on that device.

 

Contacting Meraki and AWS support, they have not been able to assist in telling us how to find the Remote ID (Local ID) for the virtual private gateway.  Has anyone had success with this?  I am kind of floored that Meraki support hasn't ran into this yet.

 

Thanks so much

5 Replies 5
Bruce
Kind of a big deal

Often it’s just the IP address of the device at the far end.

AlexP
Meraki Employee
Meraki Employee

There's only three things it can be:

 

  1. An FQDN you've set on that end
  2. A User FQDN (e.g. you@example.fake)
  3. A public or private IP

Which one it needs depends wholly on your setup. If you haven't explicitly set 1 or 2 on the AWS side somewhere, then you'd use 3, but that should only be needed if the actual endpoint you're connecting to is behind a NAT.

jguidali
Just browsing

For those that have replied - thank you for taking the time to answer. 

 

However, if you are not familiar with AWS native site-to-site VPNs, they do not expose a FQDN, any username, or the internal IP of the AWS VPN connection.  We have tried the public IP, the VPN ID (which is not a FQDN), and 0.0.0.0, to no avail. 

 

Just today I see that AWS now has a configuration listed for MX 15.12+ however, the configuration still does not contain any information about the local ID of the AWS side - here is a redacted extract of the configuration file:

 

! Amazon Web Services
! Virtual Private Cloud

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.

! Your VPN Connection ID : vpn-redacted
! Your Virtual Private Gateway ID : vgw-redacted
! Your Customer Gateway ID : cgw-redacted

! This configuration consists of two tunnels. Cisco Meraki is a Policy based VPN device and it doesn't support
! Active/Standby setup with AWS hosted VPN solution. You can configure only one of the two tunnels as active.

! --------------------------------------------------------------------------------------------------------------------
! IPSEC Tunnel #1
! --------------------------------------------------------------------------------------------------------------------

! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,
! and key parameters.The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key
! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
!
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT). To
! ensure that NAT traversal (NAT-T) can function, you must adjust your firewall
! rules to unblock UDP port 4500.
| If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.

On the Cisco Meraki Dashboard, go to Security Appliance --> Configure --> Site-to-Site VPN
Local networks: Select "yes" under "Use VPN" for the subnet you want to include in the source encryption domain.

! AWS hosted VPN solution is a route-based solution, since Cisco Meraki only supports policy-based solution you will need to limit to a single SA. So please make sure to
! select "yes" for just one subnet, if you have more than one subnet, consolidate them into a single subnet before proceeding with the VPN configuration.

Under Organization-wide settings --> Non-Meraki VPN peers
Name: ipsec-vpn-redacted-0
Public IP: redacted
Private subnets: <vpc_subnet>/<vpc_subnet_mask>
IPsec policies: Click “Default”, select “AWS” under the Preset menu and "Update"
Preshared secret: redacted
Availability: All networks

! To bring up the VPN tunnel, interesting traffic should be initiated from a host behind Cisco Meraki. Use the "ping" command with the instance's private IP address.
! ping <EC2 instance's private IP address> source <on-premise host IP address>

 

So at this point I am still not sure what to use for the Remote ID on the Meraki side for the VPN tunnel. If anyone has had success with this please let me know how you configured the Meraki Remote ID. 

 

Again thank you for your replies.

AlexP
Meraki Employee
Meraki Employee

If you're having issues, I would contact support and tell them you suspect it's an ID issue - there is logging we have access to when the tunnel is built that will determine if the root cause of this is an ID mismatch, and it should tell us what AWS is trying to present that's incorrect if so.

jay_b
Getting noticed

@AlexP  @jguidali 


I am in same boat too. I've also contacted Meraki support but they didn't help at all. Not sure where to  get help from!!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels