Hi Guys
To think that they say auto-vpn is a few clicks and you done, nope
I have a MX65 at the work and a mx64 at home (same org)
when i check vpn status on the MX65 -
when i check vpn status on the MX64 -
I am sure i am missing something really small here and its frustrating, what am i doing wrong
everything i read is very vague and doesnt explain what to do
Are either of them sitting behind other firewalls?
Home MX64 sitting behind a home internet router
See the "NAT Traversal" section here:
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings
And also the "VPN status page reports an unfriendly NAT or disconnected from VPN Registry" section here:
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Troubleshooting
The easiest way to solve it is to setup manual NAT traversal with a chosen port and setup port forwarding on your home internet router (or set your MX as DmZ host in it).
I read both links, didnt help much for example, your advise below is very helpful but can you give examples
address a port z etc etc
I have one sitting behind another firewall, and I was getting the same alerts you were. I had to do this to fix it. This also required making a change on the other firewall. So my MX has the public IP and port on the public facing firewall and that public facing firewall has an entry for my MX
Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, Meraki VPN peers contact the MX appliance using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the MX appliance.
That's it, now the VPN tunnels will be built using the port you chose and hole punching techniques are no longer necessary on this side of the tunnel(s). If all is well, that should fix the error.
Please note that you need a static public IP-address for this to work (or rather continue working) and that your provider should allow incoming connections on the chosen port.
Good luck!
What type of home internet service do you have? Is it by chance Fibre/Ethernet? If so, you could plug the INternet circuit directly into the MX64 WAN port and configure that and now use the unfriendly home device.
thanks, this is what i was looking for. examples
tried both the port forwarding then 30 mins later tried the DMZ option still same NAT error
So can we say 100% that the issue is sitting with my Home router.
not sure if the internal port and external port should be the same, please advise