Carrier-Grade NAT and Meraki Auto VPN
Overview
Many carriers use CG-NAT (Carrier-Grade NAT) within their networks. IANA has recorded the allocation of an IPv4 /10 for use as Shared Address Space. The Shared Address Space address range is 100.64.0.0/10 (RFC 6598). This is primarily seen on cellular deployments. Because they can use Carrier-Grade NAT to load balance between IPs and it is not a direct NAT, it can end up causing issues with Auto VPN as the IPs/Ports in use will vary. There are a couple of options that can be implemented to resolve this.
This issue does not occur if the Hub is directly connected to the Internet with its own public IP or has a 1:1 NAT entry.
The Problem
Meraki Auto VPN connections rely the VPN registry to define a public IP and UDP port for each MX Security & SD-WAN appliance for symmetric-NAT traversal.
In the event that there is Carrier-Grade NAT or Port Translation on a firewall, the connection becomes asymmetrical and is blocked by the firewall.
Solutions
Manual NAT traversal
There are two ways to solve this problem with manual NAT traversal:
- Create a 1:1 NAT Mapping on the Hub's upstream firewall to the Hub's WAN IP (Virtual IP, if enabled), OR
- Enable Manual Port Forwarding for Meraki Auto VPN on the Hub and enable port forwarding on the Hub's upstream firewall to the define manual Auto VPN port.
If 0.0.0.0 is used for the Hub's public IP in Auto VPN NAT Traversal settings, it will dynamically use it's statically configured or DHCP obtained WAN IP.
This will allow any connection to reach the Hub. When the Hub receives a valid Auto VPN packet from a spoke connection that does not exist in its VPN Registry information pulled from the VPN Registry, it will add a new Connection-based Entry using the Public IP and UDP port from the packet, responding to the spoke on the newly logged Public IP and UDP port combination. This new connection will be seen as symmetrical at the Spoke's upstream firewall, completing the Auto VPN connection.
Bypassing CG-NAT
This requires working with the carrier to bypass the CG-NAT. This also requires the MX to obtain its own public IP on the WAN. This may or may not be doable depending on each network's design.
Caveats
- Only fixes Cellular to fixed VPNs
- Cellular MX must be in NAT mode
- Cellular MX must be a Spoke
- Fixed MX can either be NAT or One-Armed Concentrator mode
- Cellular sites can still communicate via the Hub
- Cellular to Cellular MX cannot communicate directly
- May require all UDP range 1-65535 to be opened on upstream network (unless you know what range the carrier uses for CG-NAT)