Site to Site VPN - two MX64s, two different organizations, cannot route between hosts
I'm a little puzzled. I set up a MX64 from my organization as an external peer to a MX64 in a customer's organization. Setup was simple, as i used the default settings. At first I configured only the private subnets that I wanted to route between the client and myself, but for testing i am now allowing all VLANS until i get the routing to work.
The connection on either side shows green in dashboard's VPN status, but I cannot ping any of the MX IPs on either side. What appear to be the correct routes appear in the routing table on each device.
For example, the client side has a MX ip of 10.1.1.1 for the VLAN I intend to route to, and mine is 10.2.2.1. these are not the real IPs but for the sake of this discussion let's assume these are. when I try to ping 10.1.1.1 from 10.2.2.1, i get 100% packet loss. In the route table, I see the routes that I am advertising, with type being IPSEC Peer, and via being my public WAN IP. Vice versa for all of this on 10.2.2.1.
Does anyone have any thoughts? If this is a known bug, then let me know what build it is resolved in. My MX is running 13.24 currently, but i have also tried this before upgrading on 12.24. my client is on 12.24
Have you configured any organisation wide site to site VPN firewall rules, on either side? And group policy restrictions on either the VLANs or specific machines?
I don't remember trying to ping the MX IPs in this case (third part ipsec vpn). Perhaps try pinging a host behind the MX (and make sure it responds to pings locally as Windows firewall tends to block ping). You can ping an MX IP when it is doing AutoVPN, but this is not that case.
Make sure you have the remote VPN subnet configured correctly on both ends.
In desperation, try giving one of the MX's a power cycle.
Thanks for the reply, Philip. I have only the default firewall entry for VPN (allow any any). I have tried pinging hosts on either side to no avail. Unfortunately i can only power cycle the MX on my end but i will try that. I also changed my setup from the default to a 'custom', changing the Phase 1 to use aes 256, SHA1, DH group 5, and left phase2 defaults. Same result, it would seem
Check the event log for the networks in question and see what it says about the VPN session initialization; did it succeed, fail, reasons? I would start there to verify if the IPSEC tunnel is even getting established, and if its not, it should at least give some sort of answer as to why.