I'm replacing a sonicwall TZ100w with a Meraki MX64W. Have most of it setup, but I'm stuck setting up the VPN from the Meraki to our core Sonicwall: The Meraki lies behind a NAT device (Comcast modem) so the IP address isn't something I can put into the core sonicwall as a peer, since it will change. There appears to be some kind peer identifier for the Meraki, but I can't find where it's listed. Also, the TZ100w had an agressive mode, meaning the TZ100w would initiate the connection, so you didn't need a static on both ends, only the core end. Does the Meraki have something similar? I've seen some references to keepalive in a CLI, but I'm uncertain how to access that on the Meraki device.
Thanks
"The MX only supports main mode for phase 1 negotiation."
Our typical practice is to get a static public IP, then have the ISP's equipment configured to pass the static IP through to the MX btw. So I'd get you a static IP, put the modem into bridge mode (or equivalent), and then go from there.
You'll also want to make sure your SonicWall is set to use IKEv1, and that your lifetimes match. I've run into issues before where the remote site SonicWall defaulted to IKEv2, which Meraki does not yet support.
What about adding in a MX on the core, then going hub mode site to site? I've seen this discussed, but if I put an mx on our core, do I have to put it in parallel with the sonicwall and setup manual routing?
you just need to transfer the mode on your modem into bridge mode and once it receives public ip then you can directly configure your meraki mx on non meraki peer vpn otherwise you need to do a port forwarding to open UDP ports 500 and 4500 specific for the ip address of MX on the modem side.
You can use this guide, pretty straighforward
https://documentation.meraki.com/MX/Site-to-site_VPN/MX_to_Sonicwall_Site-to-Site_VPN_Setup
And you need to open this ports 500 and 4500 in the comcast modem.
Yes, it is straightforward, but It assumes the meraki has a non-nat IP address. My MX would be behind a nat device (the comcast router) so that won't work, unless the bridge mode on the comcast router gives me a non-nat ip