Hi, we're rolling out a Meraki network around England using the O2 network (primarily) and the EE network.
If two sites each have O2 SIMs, they don't establish the site-to-site VPN.
Any other combination works - O2 to EE, EE to EE, O2 to fixed line.
What's the magic trick to get O2 to O2 working please?
Cheers,
Geoff.
Sounds like the issue could be with 02? Have you reached out to them at all and described the issue? Assuming there could be something from stopping IPSEC from establishing?
Likely carrier-grade NAT if you're not using a SIM/APN with a public IP.
https://en.wikipedia.org/wiki/Carrier-grade_NAT
I'd perform packet captures on both MXs to see which end is only getting unidirectional traffic, then speak to your carrier to get a proper public IP address assigned to your SIM.
As Connor suggested - use packet capture to understand what's going on, first. My experience is that, in many CG-NAT cases, you can work around by reconfiguring your VPN Hubs to use Manual NAT traversal.
Security & SD-WAN > Configure > Site-to-site VPN change from NAT traversal = Automatic to Manual : port forwarding,
Specify a particular public IP and associated UDP port number for the VPN service to reside on. The upstream firewall, behind which the Hub NATs, will need to be configured to match (to forward this traffic to the MX by its real IP, port unchanged). I’d recommend choosing a port between 1025 and 32768, but avoiding 4500.
I'm not from your country ... find out what APNs O2 offers. Many carriers (at least all the ones in my country) have a different APN you can use which is not firewalled and allows you to get an actual public IP address.
Hi all, many thanks for your feedback and suggestions - much appreciated!
Based on what I've seen here in Australia, it does look like an APN issue, so we'll need to change our SIMs.
If anyone has first-hand experience with Meraki's and O2 SIMs, I'd really like to hear how you set up your network please.
Cheers, Geoff.