Meraki

Netwow · ‎May 8 2020

We have a need to build an Ipsec tunnel from a Fortigate in AWS to a VMX100 in AWS. When initially configured we were able to establish Phase 1 . Phase to on the fortigate always showed as failed. We involved Meraki support to verify Phase 2 because the dashboard stated the tunnel was up. Phase 2 was never established. After troubleshooting (changing the psk , bouncing the tunnel, etc. ) Phase 1 will not establish. Has anyone had any luck with similar cloud security appliances ?

Netwow · ‎May 8 2020

After spending time with Fortigate and Meraki today we were able to achieve tunnel connectivity. There were multiple issues so I thought it would be a good idea to post them in case anyone else ever comes across this same issue.

First, when establishing a tunnel to a non-Fortigate vpn peer, object groups/names are advised against. Using the subnet is the way to go .

Second, Fortigate side had to turn off Nat Traversal (I found this odd but it worked)

Third, MTU had to be adjusted due to the Fortigate sending Jumbo frames.

View solution in original post

JimmyPhelan · ‎May 8 2020

What version of IKE are you expecting to use on your tunnel? Is there any chance the Fortigate is looking for IKEv2 by default, and Meraki is only capable of IKEv1.

Are the two locations separate sites / clients?

This is likely to a difference in the encryption handling. Something like AES is showing but its 128 on one side and 256 on the other.

Netwow · ‎May 8 2020