Site to Site VPN - two MX64s, two different organizations, cannot route between hosts

PentagonSystems
Here to help

Site to Site VPN - two MX64s, two different organizations, cannot route between hosts

Hi everyone,

 

I'm a little puzzled.  I set up a MX64 from my organization as an external peer to a MX64 in a customer's organization.  Setup was simple, as i used the default settings. At first I configured only the private subnets that I wanted to route between the client and myself, but for testing i am now allowing all VLANS until i get the routing to work.  

 

The connection on either side shows green in dashboard's VPN status, but I cannot ping any of the MX IPs on either side. What appear to be the correct routes appear in the routing table on each device.

 

For example, the client side has a MX ip of 10.1.1.1 for the VLAN I intend to route to, and mine is 10.2.2.1.  these are not the real IPs but for the sake of this discussion let's assume these are.  when I try to ping 10.1.1.1 from 10.2.2.1, i get 100% packet loss.  In the route table,  I see the routes that I am advertising, with type being IPSEC Peer, and via being my public WAN IP.  Vice versa for all of this on 10.2.2.1.

 

Does anyone have any thoughts?  If this is a known bug, then let me know what build it is resolved in.  My MX is running 13.24 currently, but i have also tried this before upgrading on 12.24. my client is on 12.24

 

 

 

In my routing table

8 REPLIES 8
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you configured any organisation wide site to site VPN firewall rules, on either side?  And group policy restrictions on either the VLANs or specific machines?

 

I don't remember trying to ping the MX IPs in this case (third part ipsec vpn).  Perhaps try pinging a host behind the MX (and make sure it responds to pings locally as Windows firewall tends to block ping).  You can ping an MX IP when it is doing AutoVPN, but this is not that case.

 

Make sure you have the remote VPN subnet configured correctly on both ends.

 

 

In desperation, try giving one of the MX's a power cycle.

golisz
Conversationalist

I would start from checking settings in Site-to-Site VPN

1). Make sure that you setup Hub (Mesh)

2). Add to local subnets that you want route between sites YES

3). Nat traversal Automatic

4). Go to Non Meraki VPN Peers and Add Peer

5). - Name - VPN Name for example site name where is going to)

     - Public IP - IP address of remote site

     - Private Subnets - Those are remote subnets that you would like to see over IPsec Tunnel. If you have multiple subnets that you want to go to specify all of them for example

192.168.100.0/24

10.0.10.0/24

10.0.60.0/23

    - IPsec Policy you could leave as default but if you want to change something you could do that

    - Preshared Secret - Make sure that key match both sites

    - Availability - All Networks - or Specify what network should be allowed if you have multiple networks in your organization

If you do that you should be able to ping across both sites. 

 

 

 

     -

thanks for the suggestions. I went over each setting that you suggest to change and it all looks correct. For this example Everything used was default.

Maybe one of your MX is behind a router? I have seen that before.

Thanks for the reply, Philip. I have only the default firewall entry for VPN (allow any any). I have tried pinging hosts on either side to no avail. Unfortunately i can only power cycle the MX on my end but i will try that. I also changed my setup from the default to a 'custom', changing the Phase 1 to use aes 256, SHA1, DH group 5, and left phase2 defaults. Same result, it would seem
Jollywombat
New here

Check the event log for the networks in question and see what it says about the VPN session initialization; did it succeed, fail, reasons?  I would start there to verify if the IPSEC tunnel is even getting established, and if its not, it should at least give some sort of answer as to why.

 

CDK
Just browsing

On the server add a static route like this?

 

route add -p 10.1.1.0/24 mask 255.255.255.0 gw 10.2.2.1 and then try pinging

CDK
Just browsing

Ignore my reply, page didn't load previous comments.... And I can't edit mine.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels