Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MR Teleworker VPN

ELyesD
New here
‎Jul 5 2019 3:32 AM
‎Jul 5 2019 3:32 AM

MR Teleworker VPN

Hello,

 

Can anyone please provide some information about how AP builds the VPN with Meraki MX? does it contact the MX public IP then fallback to its private IP? or it only contacts the public IP?

 

I explain, we have a MX used for L2L VPN and AP teleworker vpn. we use manual NAT and unfortunately this parameter is global. We cannot (do not know where to) put the MX private IP for the AP and the MX public IP for L2L VPN.

 

the MX is behind a checkpoint firewall and the checkpoint is dropping UDP traffic from AP (internal IP) to the MX public IP (issue with the checkpoint). So if the AP fallback to to the MX private IP, i will just block public traffic and allow private traffic.

 

What do you think about this?

 

Thanks 

0 Kudos
Subscribe
4 Replies 4
timeshimanshu
Getting noticed
‎Jul 5 2019 4:06 AM
‎Jul 5 2019 4:06 AM

@ELyesD  Follow https://meraki.cisco.com/lib/pdf/meraki_datasheet_vpn.pdf for detail understanding on MR Teleworker VPN.

0 Kudos
Subscribe
In response to timeshimanshu
BrechtSchamp
Kind of a big deal
‎Jul 5 2019 6:01 AM
‎Jul 5 2019 6:01 AM

Both the teleworker VPN and the AutoVPN between MXs use the same hole-punching technique. Both endpoints of the tunnel register themselves in the cloud. When a tunnel needs to be established between them, the cloud will look at those registrations. If both are behind the same public IP, they'll try the local IP addresses first for the tunnel establishment.

 

More info here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

 

And also in the excellent whitepaper linked from that page, it explains in detail how this process works and how the private IP addresses are tried first (chapter 3.3 "Peers behind a Common NAT"):

http://www.brynosaurus.com/pub/net/p2pnat.pdf

Subscribe
In response to BrechtSchamp
ELyesD
New here
‎Jul 5 2019 8:21 AM
‎Jul 5 2019 8:21 AM

Hi BrechtSchamp,

 

Maybe I am confusing the words but I mean Access Points when I say Teleworker.

the APs and the MX are behind the same firewall (Checkpoint) and this Checkpoint doesn't like UDP from AP to MX public. it drops the traffic...

So I woundred if the APs fallback to MX private IP or not

 

Thank you for the docs, I will read them ASAP

0 Kudos
Subscribe
In response to ELyesD
BrechtSchamp
Kind of a big deal
‎Jul 5 2019 1:58 PM
‎Jul 5 2019 1:58 PM

Yes, that's what I meant too :). The AP will try the MX's private IP for the VPN tunnel.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.