Hi everyone,
I'm a little puzzled. I set up a MX64 from my organization as an external peer to a MX64 in a customer's organization. Setup was simple, as i used the default settings. At first I configured only the private subnets that I wanted to route between the client and myself, but for testing i am now allowing all VLANS until i get the routing to work.
The connection on either side shows green in dashboard's VPN status, but I cannot ping any of the MX IPs on either side. What appear to be the correct routes appear in the routing table on each device.
For example, the client side has a MX ip of 10.1.1.1 for the VLAN I intend to route to, and mine is 10.2.2.1. these are not the real IPs but for the sake of this discussion let's assume these are. when I try to ping 10.1.1.1 from 10.2.2.1, i get 100% packet loss. In the route table, I see the routes that I am advertising, with type being IPSEC Peer, and via being my public WAN IP. Vice versa for all of this on 10.2.2.1.
Does anyone have any thoughts? If this is a known bug, then let me know what build it is resolved in. My MX is running 13.24 currently, but i have also tried this before upgrading on 12.24. my client is on 12.24
In my routing table
Have you configured any organisation wide site to site VPN firewall rules, on either side? And group policy restrictions on either the VLANs or specific machines?
I don't remember trying to ping the MX IPs in this case (third part ipsec vpn). Perhaps try pinging a host behind the MX (and make sure it responds to pings locally as Windows firewall tends to block ping). You can ping an MX IP when it is doing AutoVPN, but this is not that case.
Make sure you have the remote VPN subnet configured correctly on both ends.
In desperation, try giving one of the MX's a power cycle.
I would start from checking settings in Site-to-Site VPN
1). Make sure that you setup Hub (Mesh)
2). Add to local subnets that you want route between sites YES
3). Nat traversal Automatic
4). Go to Non Meraki VPN Peers and Add Peer
5). - Name - VPN Name for example site name where is going to)
- Public IP - IP address of remote site
- Private Subnets - Those are remote subnets that you would like to see over IPsec Tunnel. If you have multiple subnets that you want to go to specify all of them for example
192.168.100.0/24
10.0.10.0/24
10.0.60.0/23
- IPsec Policy you could leave as default but if you want to change something you could do that
- Preshared Secret - Make sure that key match both sites
- Availability - All Networks - or Specify what network should be allowed if you have multiple networks in your organization
If you do that you should be able to ping across both sites.
-
Maybe one of your MX is behind a router? I have seen that before.
Check the event log for the networks in question and see what it says about the VPN session initialization; did it succeed, fail, reasons? I would start there to verify if the IPSEC tunnel is even getting established, and if its not, it should at least give some sort of answer as to why.
On the server add a static route like this?
route add -p 10.1.1.0/24 mask 255.255.255.0 gw 10.2.2.1 and then try pinging
Ignore my reply, page didn't load previous comments.... And I can't edit mine.