Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX64 to Sophos XG135 site to site VPN not getting connect

DG9
Just browsing
‎Aug 6 2024 4:31 AM
‎Aug 6 2024 4:31 AM

MX64 to Sophos XG135 site to site VPN not getting connect

Dear Team,

 

We have MX64 and we have configure site to site VPN tunnel with Sophos XG135 but tunnel not getting up .

 

at MX64 side internet is connect on wan port from ISP router , WAN port is getting DHCP IP from ISP's router.

 

and at Sophos side have directly static IP .

 

Both side IPsec profile and PSK is same but still not getting connect .

 

DG9_0-1722943531134.png

DG9_3-1722943720574.png

 

DG9_1-1722943588138.pngDG9_2-1722943634668.png

 

Kindly helpful for the same , waiting for you reply....

 

 

Thanks & Regards

Dhaval 

Labels:
0 Kudos
Subscribe
5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 6 2024 4:38 AM
‎Aug 6 2024 4:38 AM

> WAN port is getting DHCP IP from ISP's router

 

If the MX is getting a private IP address from the ISP router, then you'll also need to NAT udp/500 and UDP/4500 through to the MX.

Subscribe
In response to PhilipDAth
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 6 2024 5:12 AM
‎Aug 6 2024 5:12 AM

Small typo: You mean through the ISP router. 😉

0 Kudos
Subscribe
In response to PhilipDAth
DG9
Just browsing
‎Aug 6 2024 5:16 AM
‎Aug 6 2024 5:16 AM

Yes WAN port is getting DHCP 192.168.29.X IP from ISP's router.

 

But on MX not have static IP of ISP and also on ISP router no an static IP , static IP is at only Sophos side.

 

So where we need to configure NAT/Port forward , because at MX network side not a static IP.

 

 

Thanks & Regards

Dhaval

0 Kudos
Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 6 2024 5:14 AM
‎Aug 6 2024 5:14 AM

Please check your eventlog on both ends if both ends are actually communicating with each other.

I believe you will also have an issue with the IKE-ID.
Since at least your MX is behind a NAT the IKE-ID your MX will give by default it's local WAN IP as IKE-ID and this will not match it's public IP address so the other side will reject your authentication.

Subscribe
cmr
Kind of a big deal
Kind of a big deal
‎Aug 7 2024 2:50 AM
‎Aug 7 2024 2:50 AM

You could use the dynamic DNS hostname instead of the IP.  I'm sure the XGS supports that option as well.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.