Meraki

Community

NON-MERAKI Site-To-Site VPN - network translation v18.2xxx

Solved
MannyElPollo
Here to help
‎Aug 23 2024 6:25 AM
‎Aug 23 2024 6:25 AM

NON-MERAKI Site-To-Site VPN - network translation v18.2xxx

Hey All,

 

Just wanted to post here and see if anyone ran into this before while running firmware v18.2xxx version

 

Currently have a NON-MERAKI S2S VPN tunnel configured using "IKEv1"

We're translating a /23 subnet to a single /32 

MannyElPollo_0-1724419402778.png


So that any clients on the /23 show up as a single host (whitelisted on vendor end)

 

All this works properly on firmware v18.1xxx, however whenever we upgrade to v18.2xxx randomly some clients would be able to access the remote host (specifically port 443/https) and some others WILL NOT -no common denominator- almost like if Meraki is NOT translating the full /23 subnet properly... weird part is ICMP/PINGS work properly (strange)

 

Anyways for now we have rolled back to v18.1xxx and confirmed tunnel working no issues both ICMP/PINGS and more importantly port 443/https traffic

 

Let me know thoughts 🙂 maybe I shall submit it as a "bug"

 

Thanks!

 

0 Kudos
1 Accepted Solution
In response to MannyElPollo
JonnyM
Getting noticed
‎Aug 23 2024 7:54 AM
‎Aug 23 2024 7:54 AM

For 'advanced' stuff like this I have previously deployed a non-Meraki firewall alongside an MX and then created static routes between the two boxes. We had an MX running our office about four years ago but needed 20-30 IPsec tunnels to other organisations and I did them all on a Netgate appliance because things like routed tunnels weren't an option on the MX. Knowing the limitations of the MX platform and trying to keep your usage within the constraints is half the work of designing Meraki implementations. 

View solution in original post

6 Replies 6
RaphaelL
Kind of a big deal
Kind of a big deal
‎Aug 23 2024 6:34 AM
‎Aug 23 2024 6:34 AM

Hi ,

 

NMVPN is really hard to troubleshoot on it's own. I highly suggest to involve Support on that one

0 Kudos
In response to RaphaelL
MannyElPollo
Here to help
‎Aug 23 2024 6:38 AM
‎Aug 23 2024 6:38 AM

Yea- engaged them and one thousand packet captures later....

 

ONLY FIX was roll back to "v18.1xxx" which fixed issue- 

 

xD

jimmyt234
A model citizen
‎Aug 23 2024 6:45 AM
‎Aug 23 2024 6:45 AM

The documentation on this feature states: "This feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers."

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation

In response to jimmyt234
MannyElPollo
Here to help
‎Aug 23 2024 6:46 AM
‎Aug 23 2024 6:46 AM

@jimmyt234 wrote:

The documentation on this feature states: "This feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers."

 

Using Site-to-site VPN Translation - Cisco Meraki Documentation

 

Noted- seems like a "basic" functionality a firewall would have...🤔 (subnet translation)

 

hey at least it works 🙂

In response to MannyElPollo
JonnyM
Getting noticed
‎Aug 23 2024 7:54 AM
‎Aug 23 2024 7:54 AM

For 'advanced' stuff like this I have previously deployed a non-Meraki firewall alongside an MX and then created static routes between the two boxes. We had an MX running our office about four years ago but needed 20-30 IPsec tunnels to other organisations and I did them all on a Netgate appliance because things like routed tunnels weren't an option on the MX. Knowing the limitations of the MX platform and trying to keep your usage within the constraints is half the work of designing Meraki implementations. 

In response to JonnyM
MannyElPollo
Here to help
‎Aug 23 2024 8:09 AM
‎Aug 23 2024 8:09 AM

Marked as solution-

 

10000% agree; for some of our most advanced deployments we even reverted to virtual NETGATE appliances for VPN tunnels

0 Kudos
li.common.scroll-to.top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.