Carrier-Grade NAT and Meraki Auto VPN
Overview
Many carriers use CG-NAT (Carrier-Grade NAT) within their networks. IANA has recorded the allocation of an IPv4 /10 for use as Shared Address Space. The Shared Address Space address range is 100.64.0.0/10 (RFC 6598). This is primarily seen on cellular deployments. Because they can use Carrier-Grade NAT to load balance between IPs and it is not a direct NAT, it can end up causing issues with Auto VPN as the IPs/Ports in use will vary. There are a couple of options that can be implemented to resolve this.
Solutions
Manual NAT traversal
On the hub-side upstream firewall, configure a manual UDP port and forward this to the Hub's WAN IP (VIP, if in use with HA). This may require the full range of UDP ports 1-65535 to be forwarded. In this instance, it would be easier to do a 1:1 NAT upstream.
Bypassing CG-NAT
This requires working with the carrier to bypass the CG-NAT. This also requires the MX to obtain its own public IP on the WAN. This may or may not be doable depending on each network's design.
Caveats
- Only fixes Cellular to fixed VPNs
- Cellular MX must be in NAT mode
- Cellular MX must be a Spoke
- Fixed MX can either be NAT or One-Armed Concentrator mode
- Cellular sites can still communicate via the Hub
- Cellular to Cellular MX cannot communicate directly
- May require all UDP range 1-65535 to be opened on upstream network (unless you know what range the carrier uses for CG-NAT)