VPN connection 891 - Meraki MX84

Adam_Peak · ‎06-17-2016

Hi,

I am trying to create a VPN connection from a 891 to a Meraki MX84. The VPN connection looks like its working as I am not seeing any errors on either side from any of the isakmp, ipsec debug and firewall logs, but I am unable to ping either subnets on the other side. I can ping the routers so I am thinking there is something wrong with my NAT settings. This is my first time trying to configure this so I apologies for any stupid mistake that I might have made.

If anyone noticed any blatant issues please let me know or if you have some suggest I am willing to give anything a try.

I have attached a trimmed version of the config with the odd lines removed

The local subnet is 192.168.50.0\24 and the remote is 10.190.200.0\24

A few outputs

show crypt isakmp sa

IPv4 Crypto ISAKMP SA
dst src state conn-id status
***.***.***.*** ***.***.***.*** QM_IDLE 2010 ACTIVE

show crypto ipsec sa

interface: GigabitEthernet0
Crypto map tag: CMAP, local addr ***.***.***.***

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.190.200.0/255.255.255.0/0/0)
current_peer ***.***.***.*** port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 1610, #pkts decrypt: 1610, #pkts verify: 1610
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: ***.***.***.***, remote crypto endpt.: ***.***.***.***
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
current outbound spi: 0x47F1C42(75439170)

Philip D'Ath · ‎06-20-2016

Access-list 100 does not exists for this NAT entry.

ip nat inside source list 100 interface GigabitEthernet0 overload

Also you wouldn't normally need multiple NAT lines for the same interface like this,

NAT-INSIDE_ACL should have the deny first. But the IP addresses don't match your VPN. They should be more like:

ip access-list extended NAT-INSIDE_ACL
 deny ip 192.168.50.0 0.0.0.255 10.190.200.0 0.0.0.255
 permit ip 192.168.50.0 0.0.0.255 any

Adam_Peak · ‎06-20-2016

Thanks for getting back to me Philip.

I have removed the old NAT record I was playing with

ip nat inside source list 100 interface GigabitEthernet0 overload

and changed the order of the ACL, never even noticed I had the wrong IP in there, guess that is what happens when looking at the problem for so long.

With the changes made it still hasn't resolved the issue.

Philip D'Ath · ‎06-20-2016

Could you post your updated config now please. I'm guessing the issue is the zone based firewall now.

Adam_Peak · ‎06-20-2016

I have attached the new config.

I though it might have been the firewall so I enabled logging for everything but cant see anything in there being blocked.

Philip D'Ath · ‎06-21-2016

I think some of your zone based rules for the "self" zone might be causing an issue. Try adding this:

ip access-list extended SELF-TO-WAN_ACL
 permit esp any any
 permit udp any eq 500 any
 permit udp any eq 4500 any
ip access-list extended WAN-TO-SELF_ACL
 permit esp any any
 permit udp any eq 500 any
 permit udp any eq 4500 any

Adam_Peak · ‎06-21-2016

I added the new ACL`s but its made no difference.

Looking at the packet capture I am not receiving any ESP traffic from the Cisco device.