EdgeRouter 4: IPSec, S2S vpn
-
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Ugh, that won't be any fun.
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
I appreciate the config @JaredBusch this'll come in handy when I deploy ER's on both sides.
For now I'm still searching for a solution: ER (on one side) <--> Meraki MX (on the other side).
Change the authentication in ER to PSK.
set vpn ipsec site-to-site peer site.domain.com authentication mode pre-shared-secret set vpn ipsec site-to-site peer site.domain.com authentication pre-shared-secret ex3VRe3FAGv769sGwrpLPhqQ set vpn ipsec site-to-site peer site.domain.com connection-type initiate set vpn ipsec site-to-site peer site.domain.com description 'HQ to PSK Site A' set vpn ipsec site-to-site peer site.domain.com ike-group myike set vpn ipsec site-to-site peer site.domain.com ikev2-reauth inherit set vpn ipsec site-to-site peer site.domain.com local-address 123.123.123.123 set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer site.domain.com tunnel 1 esp-group myesp set vpn ipsec site-to-site peer site.domain.com tunnel 1 local prefix 10.254.103.0/24 set vpn ipsec site-to-site peer site.domain.com tunnel 1 remote prefix 10.254.0.0/24
And then change the IKE and ESP sections from the last post to match WTF ever the Meraki uses.
-
@JaredBusch :thumbs_up: :thumbs_up_medium_skin_tone: :thumbs_up_medium-dark_skin_tone:
I'll give that a try. -
This post is deleted! -
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/valid
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
That previous error was due to copy/paste issues.
Here is the error I'm getting:
[ service nat ] NAT configuration error: rule type not specified/valid
The NAT above was exported from a live router using
show configuration command service | grep nat
Are you running 2.0? maybe something changed?
Edit: Nope
-
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masquerade
-
@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:
Never mind. I read the error closer.. I missed a line when I copy/pasted
fixed above also.set service nat rule 5000 type masquerade
Haha, just added that line like 2 mins ago!!
Thanks for fixing!! -
ER4 <--> Meraki MX S2S is "up"
Many thanks to @JaredBusch for all the help. -
@JaredBusch
S2S #1: ER4 (ip 1.2.3.4) <--> Meraki MX is up
S2S #2: ER4 (ip 1.2.3.4) <--> Unifi USG not working, just says "connecting" (when I run "show vpn ipsec sa)Any tricks or tips to make S2S #2 work?
-
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch
S2S #1: ER4 (ip 1.2.3.4) <--> Meraki MX is up
S2S #2: ER4 (ip 1.2.3.4) <--> Unifi USG not working, just says "connecting" (when I run "show vpn ipsec sa)Any tricks or tips to make S2S #2 work?
USG sucks...
-
@JaredBusch Don't talk bad about my USG :grinning_face_with_smiling_eyes:
In a few week I plan on replacing the USG w an ER4.For now, I was able to get the ER4 <--> USGp4 connection up & running...:thumbs_up:
-
I have 2 public IPs on the USGp4 (using WAN 1 & 2)
For some reason, the second peer (of my S2S) ER4 refuses to connect to the USGp4 WAN1 IP.
I finally tried WAN2 & it connected. -
update:
ER4 <--> S2S <--> Meraki MX is/was an absolute disaster.
No workie!!!
For now, have to scrap the idea, it just doesn't work :angry_face: :face_with_open_mouth_cold_sweat: -
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
update:
ER4 <--> S2S <--> Meraki MX is/was an absolute disaster.
No workie!!!
For now, have to scrap the idea, it just doesn't work :angry_face: :face_with_open_mouth_cold_sweat:I don’t know enough about the Meraki side. But one would assume it can work. IPSEC is a standard.
-
@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
update:
ER4 <--> S2S <--> Meraki MX is/was an absolute disaster.
No workie!!!
For now, have to scrap the idea, it just doesn't work :angry_face: :face_with_open_mouth_cold_sweat:I don’t know enough about the Meraki side. But one would assume it can work. IPSEC is a standard.
You probably have to rub some cash on the Meraki to get it to work.
-
@RojoLoco said in EdgeRouter 4: IPSec, S2S vpn:
@JaredBusch said in EdgeRouter 4: IPSec, S2S vpn:
@FATeknollogee said in EdgeRouter 4: IPSec, S2S vpn:
update:
ER4 <--> S2S <--> Meraki MX is/was an absolute disaster.
No workie!!!
For now, have to scrap the idea, it just doesn't work :angry_face: :face_with_open_mouth_cold_sweat:I don’t know enough about the Meraki side. But one would assume it can work. IPSEC is a standard.
You probably have to rub some cash on the Meraki to get it to work.
That was assumed.
-
The problem is this:
On the Meraki side, let's say you have 5 (this can be any number greater than 1) firewalls.
In Meraki speak, if all 5 are in the same "organization", S2S is a few clicks & AutoVPN takes over. No pre-shared secret, no keys.
You turn on VPN, say yes to whatever subnets you want in the vpn & save.On the ER side, I have to create 5 peers to connect to the Meraki side.
Meraki will only expose one connection for a 3rd party S2S & therein lies the problem.
Not all the tunnels connect & there's no good way to fix it.