Trying to get an MX to pass IPSec client traffic from LAN side to host VPN on public IP Fortigate
Hi alll -
I am trying to configure my MX-450 to allow an IPSec VPN tunnel from an NCP IPSec client on the inside of the MX to connect to a Fortigate 100F firewall on the outside.
(The NCP client is the preferred client of the vendor involved - I cannot simply use the Forticlient, for those who might wonder. Nor can I ask the other company to switch to SSL VPN technology)
I have a public IP for the Fortigate on the host VPN side -- when I route that IP through a non-Meraki firewall (an ASA), the VPN works fine - when I route that public IP through the MX 450, the IPSec tunnnel setup fails every time. I have a "permit any" rule allowing full unrestricted no-blocks access to that public IP in the Firewall rules in the MX. Seems like that should be sufficient to allow UDP/500 and other ISAKMP/IPSec traffic through?
Is there somewhere else in the MX I have to go establish special rules or anything to allow IPSec passthrough to work right?
To further investigate if the problem is related to any IPsec-VPN on the MX, I would add a 1:1 NAT with it's own IP for this particular PC and see if that works. If yes, it's likely that it is somehow related to the actual VPN-Config.