Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MR Teleworker VPN with MX250 : Connectivity failed

jbvt
Comes here often
‎Aug 6 2019 5:54 AM
‎Aug 6 2019 5:54 AM

MR Teleworker VPN with MX250 : Connectivity failed

Dear Merakers,

 

I try to configure "MR Teleworker VPN" but, unfortunately, I have problems to join the VPN concentrator from distant MR access point. When I "test connectivity" I have only failed results.

 

MR connectivity.png

My network architecture is quite simple and is the following :

 

MR-MX.png

 

I tried some ICMP requests from tools page :

   - From DC-VPN (MX 250 concentrator), I can ping the Meraki MR33 with its private IP address,

   - From Meraki MR33, i can ping public IP address from MX250 router,

But

   - From Meraki MR33, i can't join DC-VPN (MX250 concentrator) private IP address.

 

Did I forget something for automatic NAT ? Do I add some routes on any equipments ?

 

I read the following documentation but I couldn't find any precisions : https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

 

So, I hope you can help me 🙂

Thanks a lot,

JB. 

0 Kudos
Subscribe
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 6 2019 4:33 PM
‎Aug 6 2019 4:33 PM

Is the NAT to the MX250 a 1:1 NAT or is a a shared NAT being used by all outbound devices?

 

Does the MX250 report that it has sucessfully connected to the VPN registry?

0 Kudos
Subscribe
In response to PhilipDAth
jbvt
Comes here often
‎Aug 7 2019 12:16 AM
‎Aug 7 2019 12:16 AM

The NAT is shared by all outbound devices. No forwarding rules have been defined.

 

forwarding_rules.png

 

How can I can find the information about VPN registry ?

 

And, after analysis with .pcap files, is it normal that the AP try to join <private DC-VPN IP @> AND <public IP @1 > ?

0 Kudos
Subscribe
In response to jbvt
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 8 2019 1:53 AM
‎Aug 8 2019 1:53 AM

>And, after analysis with .pcap files, is it normal that the AP try to join <private DC-VPN IP @> AND <public IP @1 > ?

 

Yes, it tries to join anyway it can.

 

Check out this guide to make your for Meraki hub is correctly registering.

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_VPN_Registration_for_Meraki_Aut...

0 Kudos
Subscribe
In response to PhilipDAth
jbvt
Comes here often
‎Aug 8 2019 2:59 AM
‎Aug 8 2019 2:59 AM

Thanks for the answer 🙂

 

But, I already have read this documentation.
The only manner to verify the VPN connectivity is use the Test connectivity button next to the selected Concentrator in Wireless > Configure > Access control > Addressing and traffic section.

 

So, I did some captures on all parts of the network and, to the side of the routed MX, it seems that there are no packets from the MR to DC-VPN.

0 Kudos
Subscribe
In response to jbvt
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 8 2019 3:46 AM
‎Aug 8 2019 3:46 AM

Have you enable VPN concentrator mode on your MX250 under Site to site VPN?

1.PNG

On the MX250 under "Security & SD-WAN/VPN Status" does it show as being connected to a VPN registry, and does it show the APs as being connected?

 

2.PNG

0 Kudos
Subscribe
In response to PhilipDAth
jbvt
Comes here often
‎Aug 8 2019 4:21 AM
‎Aug 8 2019 4:21 AM

Thanks, I didn't understand that I have to configure site-to-site VPN even for Teleworker mode !

So, I activated it but I still have not any hubs connected.

 

vpn_status_site-to-site.png

What do you think could still be forgotten ?

 

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.