I have 3 MX appliances at different sites (London, Hong Kong and Shanghai).
The London & Hong Kong offices have a leased line from a local ISP.
The Shanghai office is a serviced office and the building management simply provide an internet connection.
It is from this Shanghai office I am trying to create a non-Meraki VPN site-to-site connection between the MX and public cloud (Alibaba). The VPN fails to come up. The error from Alibaba is simply "Phase 1 of IKE Tunnel Negotiation Failed".
From the MX event viewer, the error is
msg: phase1 negotiation failed due to time up. 0d7a59b09e19f2a6:918b1b8f5f6421e2
msg: ignore information because ISAKMP-SA has not been established yet.
msg: initiate new phase 1 negotiation: 172.16.7.12<=><Alibaba_Public_IP>
The device "172.16.7.12" is, I believe, the IP address of my MX allocated by an upstream router in the serviced office. Screen shot below.
My other two MX's can successfully connect to the cloud provider.
If the upstream device is causing an issue, is there any way around this problem when configuring the VPN.
172.16.x.x is definitely an internal IP so I'd suspect the upstream router/provider has traffic limited so you can't establish a tunnel. May need to work with the building provider to see if they can open up the needed ports so you can use VPN. Although who knows what is possible or not in China. This article confirms that you aren't getting a response.
First you should realise running VPNs out of China can be problematic. From time to time the Government simply block VPNs.
Meraki have a whole section in their knowledge base on this. Meraki have had to establish a special cloud in China just to allow AutoVPN to work. Part of the concession Meraki had to make to get permission from the Chinese Government to allow AutoVPN to work to work in China is they don't allow Chinese MX units to use advanced security features.
Personally - I don't think you should rely on information remaining "private" that goes in and out of China. It is clear the Chinese Government has significant infiltration into systems. This is my personal opinion. Others may have other opinions.
Now back to your case. China also makes use of "double NAT" because of the huge number of users. You see, 10.0.0.0/8 only has 16 million addresses. So what do you do when you have a billion devices connecting?
Well you you NAT each region of 16 million users to a single 10.0.0.0/8 address, and then you NAT all of those regions into another 10.0.0.0/8 block. Double NAT.
VPNs don't like NAT. VPNs especially don't like double NAT. IPv6 is a great fix for this, but Meraki don't properly support IPv6. Now you can buy more premium more expensive circuits in China that are singled NATed where VPNs are more likely to work - but this will cost considerably more than a shared Internet circuit in a shared office space.
In the past when I have trickier issues like this - I have had a customer buy an extra MX that goes in the third party. You then enable AutoVPN. The third party then plugs the MX into their firewall, and routes the traffic to and from you via that. This is just like you putting in a private WAN circuit to the third party, but instead of the third party routing via the WAN provider they route via your MX. You tyically operate these MX units in VPN concentrator mode.
Thanks. This VPN is actual staying within China, within Shanghai to be accurate, so I was hoping to not have any issues with the getting traffic through the Great Firewall.
The option of putting another MX at the 3rd party isn't going to be possible in this case, so we may have to look at another 3rd party, or reconsider another solution.
(or move office!)
I forgot to mention. We have an AutoVPN between our 3 offices already and this (mostly) works fine. Does the AutoVPN work in such a way that double-NAT isn't an issue?