Hi alll -
I am trying to configure my MX-450 to allow an IPSec VPN tunnel from an NCP IPSec client on the inside of the MX to connect to a Fortigate 100F firewall on the outside.
(The NCP client is the preferred client of the vendor involved - I cannot simply use the Forticlient, for those who might wonder. Nor can I ask the other company to switch to SSL VPN technology)
I have a public IP for the Fortigate on the host VPN side -- when I route that IP through a non-Meraki firewall (an ASA), the VPN works fine - when I route that public IP through the MX 450, the IPSec tunnnel setup fails every time.
I have a "permit any" rule allowing full unrestricted no-blocks access to that public IP in the Firewall rules in the MX.
Seems like that should be sufficient to allow UDP/500 and other ISAKMP/IPSec traffic through?
Is there somewhere else in the MX I have to go establish special rules or anything to allow IPSec passthrough to work right?
Thanks TIm
All you need is UDP/500 and UDP/4500, and yes, your "permit any" will handle that unless the traffic is denied in rules above that permit.
Do you perhaps have a site-2-site VPN between your MX and that Fortinet? That would be a reason that the client VPN will fail.
It'll have complications if Client VPN is enabled on the MX as well, as that uses the same initial ports.
A client on the inside is whitelisted.
The Fortigate public IP has a permit any/any/pubIP/any rule
I'll check that idea.
The MX is supporting Meraki L2L VPN peers, so I can't disable that.
We are NOT using any VPN that isn't Meraki based, insofar as what terminates on the MX-450.
The Fortigate is not connected to our network in any way - it's a far-end public IP connection, with clients
attempting to connect to it by going _through_ the Meraki along the way.
Does the L2L Meraki VPN setup use IPSec and thereby UDP/500 and UDP/4500 ?
or is that some proprietary non-IPSec setup from Meraki?
We aren't doing client VPN on that firewall.
Thanks Tim
To further investigate if the problem is related to any IPsec-VPN on the MX, I would add a 1:1 NAT with it's own IP for this particular PC and see if that works. If yes, it's likely that it is somehow related to the actual VPN-Config.
Hi --
So, it is not true that this should NOT be a problem for a CLIENT coming from "behind" the Meraki firewall, as a client would be source-ported higher than UDP/500 and UDP/4500?
I can see the problem in having a Fortigate or other firewall BEHIND the Meraki, and having it trying to terminate incoming VPN sessions - when both it and the Meraki want to use UDP/500
However -- this is an IPSec client behind the Meraki launching an outbound VPN, going off into the Internets
to talk to the Fortigate on the public Internet.
I did try assigning a public IP (NAT) to my client PC behind the Meraki 450.
That made no difference - the VPN session between my IPSec client and the Fortigate out on the Internet still failed to launch.
Thanks Tim
Can you do a packet-capture on the LAN and on the WAN-side of the MX450 with a filter of the IP of the other sides VPN-gateway? Perhaps that gives a hint of the problem.
@treimers you could have a problem with an IPSec client behind a Meraki firewall depending on the client operation, and what services you are running on the MX.
Hope this provides some idea where to look/check.
Make also sure that the VPN-client *and* the gateway have NAT-Traversal (NAT-T) enabled.