Meraki-Fortigate VPN Site-to-Site non-meraki peer

Philbud
Getting noticed

Meraki-Fortigate VPN Site-to-Site non-meraki peer

Maybe someone can help me with this.

We are able to setup a non-meraki peer vpn between an MX100 and a Fortigate firewall.

I see that tunnel is up in vpn status but route never seems to go online in route table.

We are not able to ping from 1 subnet to another.

Are we missing something?

 

VPN status for tunnel: green

Route Table for tunnel: not online (grey)

 
15 REPLIES 15
Nash
Kind of a big deal

Couple thoughts:

 

Do your subnets match across the Fortigate config and the MX config?

 

Do your MX subnets participate in the vpn? You set this under the site to site VPN page.

 

When you look at the event log on the MX, do you see successful phase 2 negotiations?

Philbud
Getting noticed

Thanks for your help

 

When looking at the logs I see:

msg: IPsec-SA expired: ESP/Tunnel x.x.x.x[500]->x.x.x.x[500] spi=82540378(0x4eb775a)

msg: initiate new phase 2 negotiation: x.x.x.x[4500]<=>x.x.x.x[4500]

msg: IPsec-SA expired: ESP/Tunnel x.x.x.x[500]->x.x.x.x[500]

msg: x.x.x.x give up to get IPsec-SA due to time up to wait.

 

So I don't see a successfull phase 2 negotiations but vpn status is green when going in vpn status. Is that possible?

 

If subnet from fortigate sends ping to a local subnet of Meraki I see packet (if I do a packet capture) but packet never goes back accross. It seems to stay stuck on Meraki.

 

 

Nash
Kind of a big deal

VPN Status seems to mean phase 1 completed, in my experience. I have seen it stay green when I've had a log full of p2 time outs.

 

So, my thoughts, aka more questions:

 

1. You've verified that your subnets are the same between the Meraki and Fortigate?

2. The Meraki-side subnets are being correctly shared?

3. Did this tunnel ever work or is it new?

4. Your p2 settings match exactly?

 

Depending on the answers, I've got different suggestions.

Philbud
Getting noticed

Thanks for your help on this:

 

1) not sure what you mean here... We are in 172.16.10.x (meraki side) and 172.17.82.x (on fortigate side)

2) Yes subnets are shared

3) This is new tunnel

4) I think so but I'll double-check with Fortigate admin on the other side

 

Could it only be a p2 problem since we never get a p2 success in logs? That would be reason why we never get the route table active for vpn.

Nash
Kind of a big deal

Basically, you need to have the correct network and subnet mask under 'Private Subnets'. So assuming both sides have a /24 subnet mask, you'd put 172.17.82.0/24 as your 'Private Subnets'. The Fortigate end would configure their end to expect 172.16.10.0/24 traffic from you.

 

I'd double-check your P2 settings and subnets with the remote end. If they don't match, make sure they get matched up!

 

If you never get p2 established, you're not going to be able to send traffic.

PhilipDAth
Kind of a big deal
Kind of a big deal

Do you have more than one subnet in the encryption domain on your side?  If so, others had previsouly made this note for the Fortigate side:

 

"Needed to build an extra phase 2 tunnel instead of putting 2 subnets in one phase 2 configuration."

Thanks to you both, I'll take a look at those 2 things.

I have a feeling it's the p2 phase. We'll try to get a sucessfull results and see if it routes after that. I'll post the results here.

Best regards

Nash
Kind of a big deal

Good luck! You definitely need p1 and p2 both up in order to pass ya traffic successfully. I hope it gets sorted out smoothly.

Philbud
Getting noticed

Quick question:

In order for phase2 to end sucessfully do we need on fortigate to have all the route (in tunnel) that have VPN participation on on meraki even if they need to access only 1 subnet and same thing our side?

vpn participation.jpg

That is correct, any subnet in AutoVPN must be included in 3rd-party IPSEC VPN tunnel for Phase 2 to be successful.

Nash
Kind of a big deal

@JasonCampbell has it right.

 

So, for limiting the traffic:

 

Do you need to have all of those subnets available to participate in VPNs? If not, good time to edit.

 

If yes, set outbound rules on your site to site VPN firewall. Ask the Fortigate end to also set fw rules around the subnets that you don't want to share. That can help control the cross-chat.

Philbud
Getting noticed

Thanks @JasonCampbell and @Nash 

So if on the Fortigate side they already have some of those subnets (that I use on Meraki) already on their local network we are doomed?

With Fortigate we only need one route to work. 

So if I understand correctly what we want to do is impossible because we have a few subnets that are the same on both sides (even if we don't want to share those routes)?

 

Thanks again

Nash
Kind of a big deal

Oh dear. Yes, you're probably in a bind there. The MX does not do VPN NAT for third party tunnels. Could the Fortigate end do VPN NAT on your incoming traffic?

 

Do all of those subnets need to be shared out? Like, are they in use for other VPN tunnels?

Philbud
Getting noticed

Yes those subnets are in use with my other mx (site-to-site vpn) across my network!

Tunnel is coming up but tunnel route is not working because phase 2 doesn't complete successfully.

Trying to find a solution...this is frustrating!

Thanks for your help

 

NCarey
Conversationalist

Hi,

 

I know I'm bringing a thread back from the dead here, but did you ever get to resolve this?  We seem to be running into a similar issue ourselves and at our wits end on how to get the Phase 2's to complete properly - neither end has great logging to determine the exact issue!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels