cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site-to-Site VPN Setup

Getting noticed

Site-to-Site VPN Setup

Hi Guys

 

To think that they say auto-vpn is a few clicks and you done, nope 

 

I have a MX65 at the work and a mx64 at home (same org)

when i check vpn status on the MX65 - 

  • NAT type: Friendly. This security appliance is behind a VPN-friendly NAT, locally using 192.168.0.253:54131, which is NAT-ed to 196.50.252.14:54131

 

when i check vpn status on the MX64 - 

  • NAT type: Unfriendly. This security appliance is behind a VPN-unfriendly NAT, which can be caused by upstream load balancers or strict firewall rules.

 

I am sure i am missing something really small here and its frustrating, what am i doing wrong

everything i read is very vague and doesnt explain what to do 

 

9 REPLIES 9
Kind of a big deal

Re: Site-to-Site VPN Setup

Are either of them sitting behind other firewalls?

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Getting noticed

Re: Site-to-Site VPN Setup

Home MX64 sitting behind a home internet routerHQ vpn issue.JPGvpn issue.JPG

Kind of a big deal

Re: Site-to-Site VPN Setup

See the "NAT Traversal" section here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings

 

And also the "VPN status page reports an unfriendly NAT or disconnected from VPN Registry" section here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Troubleshooting

 

The easiest way to solve it is to setup manual NAT traversal with a chosen port and setup port forwarding on your home internet router (or set your MX as DmZ host in it).

Getting noticed

Re: Site-to-Site VPN Setup

I read both links, didnt help much for example, your advise below is very helpful but can you give examples

address a port z etc etc

Kind of a big deal

Re: Site-to-Site VPN Setup

I have one sitting behind another firewall, and I was getting the same alerts you were. I had to do this to fix it. This also required making a change on the other firewall. So my MX has the public IP and port on the public facing firewall and that public facing firewall has an entry for my MX

Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, Meraki VPN peers contact the MX appliance using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the MX appliance.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Highlighted
Kind of a big deal

Re: Site-to-Site VPN Setup

  • First you chose a port that you'll use for the VPN tunnels. For example 5000.
  • Then go to Security & SD-WAN / Appliance Status and click on the Uplink tab. Make a note of the WAN 1 IP-address and the public IP-address.
  • Two options for this step:
    1. You setup port forwarding on your home router. You'll have to tell it that every time a connection on UDP port 5000 comes in, it has to forward it to port 5000 on the WAN IP of your MX (the WAN 1 IP you noted down earlier). I can't give exact instructions for this but https://portforward.com/router.htm might have instructions for your home router.
    2. Another option is to tell your home router to forward everything to your MX instead of just port 5000. That feature is is usually called DmZ host, here again you'll have to enter WAN 1 IP you noted down earlier.
  • Once that is done you configure the manual NAT traversal in the MX. Go to Security & SD-WAN / Site-to-site VPN and select Manual: Port forwarding under NAT traversal. Enter the public IP address you noted down earlier (NOT WAN 1 IP) and the port you chose (for example 5000):
    manual_nat_traversal.PNG

 

That's it, now the VPN tunnels will be built using the port you chose and hole punching techniques are no longer necessary on this side of the tunnel(s). If all is well, that should fix the error.

 

Please note that you need a static public IP-address for this to work (or rather continue working) and that your provider should allow incoming connections on the chosen port.

 

Good luck!

Kind of a big deal

Re: Site-to-Site VPN Setup

What type of home internet service do you have?  Is it by chance Fibre/Ethernet?  If so, you could plug the INternet circuit directly into the MX64 WAN port and configure that and now use the unfriendly home device.

Getting noticed

Re: Site-to-Site VPN Setup

thanks, this is what i was looking for. examples
tried both the port forwarding then 30 mins later tried the DMZ option still same NAT error

So can we say 100% that the issue is sitting with my Home router.

not sure if the internal port and external port should be the same, please advise

 

 

port forwarding.JPG

Kind of a big deal

Re: Site-to-Site VPN Setup

How did you have the MX configured when you setup the port forwarding on that edge firewall?

Also, I would lean towards the MX at the office causing the issue. I have MX at home, have taken it to other locations, never had an issue double NATting etc. Only the one in my datacenter did I have to go out of my way with port forwarding to the static public ip etc.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.