Hello,
I configured a site-to-site VPN peering to a non-Meraki firewall device, with below parameters:
IKEv2
Phase 1 encryption: AES256
Phase 1 authentication: SHA256
Phase 1 Pseudo-random Function: SHA256
Diffie-Hellman group: 14
Lifetime (seconds): 28800
Phase 2 encryption: AES256
Phase 2 Authentication: SHA256
PFS group: 14
Lifetime (seconds): 28800
I also make sure the pre shared key is correctly entered at both ends.
However, the tunnel does not form up. I did packet capturing on the MX250 WAN1 side, which is my primary WAN, and do not see a single packet goes out to the remote peer's IP. I tried to change the parameters, re-configure everything, to trigger the VPN negotiation packets, but do not get a single packet out to the remote peer.
I do have another non-Meraki VPN peer configured on the same MX250 to compare, and I can capture packets destined to that peer..
So my question is why MX250 does not send any packets to the first non-Meraki peer at all? Any thoughts?
Thanks,
Fei.
Hi ,
Since S2S settings are Org-Wide , have you specified the correct 'Availability' in the NMS2S settings ? :
With either a configured 'Tag' on your network or 'All Networks' ( not recommended ).
Also what MX firmware version are you running ?
Yes, I have specified the correct site to have this VPN applied. Firmware is MX 16.16.
Also, the non-Meraki peer is a SaaS VPN provider, and my Meraki firewall is in Mexico. I tried to peer with various VPN gateways from the SaaS provider, either in US or in Mexico, and Meraki firewall does not send out any packets.
I have similar setup in US, that MX250 firewall in US can establish VPN to the same SaaS VPN provider, and I am able to capture packets from this US MX250 destined to the SaaS VPN provider's gateway, over the Internet interface..
I only have one site and one firewall in Mexico thus cannot narrow down if it is a Mexico/ISP related issue or the particular MX250 has issue..
But you should still see in the packet capture the MX sending packets to the peer. They might get dropped by a router from the ISP upstream but that wouldn't change the fact the packets should be seen.
Silly question : have you tried to reboot it ? I haven't had the chance to try 16.16 yet.
I agree, I should at least be able to see some packets coming out of MX WAN interface. This is strange.
I have not rebooted the MX yet. I am scheduling MX for it and probably will upgrade to 17.x (whichever the allowed newer code in Meraki dashboard).
I will also switch to the secondary ISP as my primary ISP to try out the other ISP as exit.
Thanks,
Fei.
Updates: I upgraded the firewall firmware to 17.x and also switched over the ISP in this site. After that, VPN tunnel is up.. I suspect the previous primary ISP blocks IPSec or have a stricter network security (as I cannot ping my public IP either) and caused the issue.