Hi All,
I’m trying to create a Ubuntu VPN Gateway to connect to Meraki MX 65 VPN Service.
Basically my network is simple and has following configuration:
Meraki VPN Appliance is located on network 192.168.1.0/24
The Ubuntu VPN Gateway is located at 192.168.2.0/24 and has the following ip address 192.168.2.254
When the vpn service on gateway I can ping to all host that are located at 192.168.1.0/24 network.
But from a client located at network 192.168.2.0/24 example 192.168.2.101 I cannot ping to any host located at network 192.168.1.0/24.
I set up a static route on Meraki to respond request from 192.168.2.0/24 to sent to vpn appliance 192.168.1.254
Please help to troubleshoot the issue in order to fix
your mx is in routed mode?
192.168.1.x and 192.168.2.x are interfaces on the mx?
what static route did you set exactly?
you have a small drawing maybe?
Hello @ww, Here you found the answers of the questions,
your mx is in routed mode?
Yes, my mx is in routed mode and has vpn site-to site configured 192.168.1.x and 192.168.2.x
are interfaces on the mx?
192.168.1.x is lan of mx
192.168.2.x is tp-link 3420 lan
what static route did you set exactly?
i have configured the following static route on mx subnet next houpe 192.168.2.0/24 1921.168.1.254 you have a small drawing maybe? right now i dont have a draw
Firewall enabled on Ubuntu appliance?
The firewall is not enabled on router.
i made some changes and seems the connection is estabelished and then goes down.
Here the logs:
sudo ipsec up vpn2
initiating Main Mode IKE_SA boane-vpn[1] to 165.90.79.78
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.2.254[500] to 165.90.79.8[500] (212 bytes)
received packet: from 165.90.79.8[500] to 192.168.2.254[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received NAT-T (RFC 3947) vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.2.254[500] to 165.90.79.8[500] (244 bytes)
received packet: from 165.90.79.8[500] to 192.168.2.254[500] (228 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.2.254[4500] to 165.90.79.8[4500] (100 bytes)
received packet: from 165.90.79.8[4500] to 192.168.2.254[4500] (92 bytes)
parsed ID_PROT response 0 [ ID HASH V ]
received DPD vendor ID
IKE_SA boane-vpn[1] established between 192.168.2.254[192.168.2.254]...165.90.79.8[165.90.79.8]
scheduling reauthentication in 3337s
maximum IKE_SA lifetime 3517s
generating QUICK_MODE request 1050748777 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.2.254[4500] to 165.90.79.8[4500] (356 bytes)
sending retransmit 1 of request message ID 1050748777, seq 4
sending packet: from 192.168.2.254[4500] to 165.90.79.8[4500] (356 bytes)
received packet: from 165.90.79.8[4500] to 192.168.2.254[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3971823612 [ HASH N(DPD) ]
sending retransmit 2 of request message ID 1050748777, seq 4
sending packet: from 192.168.2.254[4500] to 165.90.79.8[4500] (356 bytes)
received packet: from 165.90.79.8[4500] to 192.168.2.254[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 4073732075 [ HASH N(DPD) ]
received packet: from 165.90.79.8[4500] to 192.168.2.254[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3012882346 [ HASH N(DPD) ]
sending retransmit 3 of request message ID 1050748777, seq 4
sending packet: from 192.168.2.254[4500] to 165.90.79.8[4500] (356 bytes)
received packet: from 165.90.79.8[4500] to 192.168.2.254[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3714477588 [ HASH N(DPD) ]
received packet: from 165.90.79.8[4500] to 192.168.2.254[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3520459203 [ HASH N(DPD) ]
sending keep alive to 165.90.79.8[4500]
sending retransmit 4 of request message ID 1050748777, seq 4
sending packet: from 192.168.2.254[4500] to 165.90.79.8[4500] (356 bytes)
#/etc/ipsec.conf
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
ike=aes128-sha1-modp1024,3des-sha1-modp1024!
esp=aes128-sha1-modp1024,3des-sha1-modp1024!
conn vpn2
keyexchange=ikev1
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
rightsubnet=192.168.1.0/24
rightid=165.90.79.78
# set this to the ip address of your meraki vpn
right=165.90.79.78
the meraki configuration of non-meraki-devices