how can I do a site to site vpn between routers when 1 router is behin

mmercald · ‎07-18-2024

I am deploying a cisco router at a clients home connect to the office using site to site vpn and VTI. However infront of the router is a meraki firewall that is managed by a 3rd party who will not do any pats or nats for us. I am trying to do a hub and spoke model using email address as the identity for the spoke. I have it set so the spoke is the one that initiates the connection. However after the connection gets initated the hub tries to send a responder message to the public ip that belongs to the meraki and in which this is failing. Any idea how I can get around this?

MHM Cisco World · ‎07-18-2024

if the FW dont do NAT you cannot run VTI
you need to add NAT in FW

MHM

mmercald · ‎07-18-2024

the firewall is natting traffic, it has a default nat setup for internet traffic. But my company does not have access to the firewall and they other company will not setup a nat or pat for us. Hence I need to setup a site to site vpn betwen the spoke router and hub router when the spoke router has no inbound access from the hub router?

MHM Cisco World · ‎07-18-2024

what platform you want to use for VTI?

MHM

mmercald · ‎07-18-2024

as stated above I am using 2 routers, hub is an ASR and the spoke is an 8200

MHM Cisco World · ‎07-20-2024

Sorry I check without make FW NAT port 500/4500 the vpn not success.

MHM

ccieexpert · ‎07-20-2024

Basic outbound NAT should just work fine.. there is no need to allow inbound NAT.. Please get debugs on both sides:

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/113594-trouble-ios-ike-00.html

also attach config if you can..

if you have too many tunnels on the headend, you can do conditional debug:

https://marktugbo.com/2017/10/05/tricks-how-to-debug-a-specific-ipsec-vpn-on-cisco/

**Please rate as helpful if this is useful**