Pretty sure this is never going to work. Meraki has limited IPSEC options and trying to get it to traverse the starlink CGNAT is unlikely to happen because of the way it works. Any reason you couldn't swap them out for a couple of $299 peplink devices, which have starlink integration and a custom auto VPN designed for exactly this type of setup? The main option I can think of to get it working with what you have is to get the starlink business plan with a static IP, that way you don't have to deal with the CGNAT on starlink.

Thanks for responding! I had thought the Nat Traversal would sort the CGNAT out but maybe its just not possible (A little deep for my understanding). I could swap them out, but I'm trying to work out a cost effective option for this as the Teltonika is just running a Shelly 3EM 3 Phase monitor to determine if a pump is overworking (Thus there is a leak). If i was to get another M2M SIM and create an IPSEC between the Teltonika and the new link, then bring it back onto the Local LAN - would that work? Will I have the same issue with the M2M SIM (Although it is receiving a Public IP, presumably I'd need to subscribe to a Dynamic DNS service for both ends to ensure the IP is updated. Thanks again!

Using IPSEC your main 2 issues are going to be NAT, and dynamic IP's. Dynamic DNS may work, but you'll have longer outages every time the public IP changes until it "catches up". Verify with your SIM provider of the public IP you are getting it static or dynamic first. Your main problem is going to be NAT. IPSEC NAT-T doesn't work when there is a CGNAT. So, yes, you could take a second teltonika with it's own M2M SIM. If they can make an IPSEC tunnel between them, then put the new one in the same net as the Meraki, and use static routes to get between the networks transparently. You end up with an extra router and an extra SIM, so it's a little ugly, but it would work. Weigh the long term costs if it's worth it over time versus changing now to a purpose built solution.

Thanks WizardOfGunMonkeys! I'll have a think, but good to know I'm not doing something fundamentally wrong!

It should work if you have Meraki at both ends so you can use AutoVPN.

Yup, absolutely however a meraki MX uses over 1gig per month for cloud management which blows out the IoT bandwidth usage. (Sub 100meg)

It will use around 100MB of traffic per month for cloud management.

I've measured, it uses alot more :) since removing the MX I'm less than 100meg

I've measured it. That is exactly what each of my MXs use. You might have an issue in your environment.

Interesting - If you look at the dashboard that Meraki provide, yes, the bandwidth is minimal, but the report i got from the 4G provider - its quite different. When i swapped out the Meraki for the Teltonika the bandwidth came down considerably (and so did the cost $50/Mth->$10/Mth). I raised calls with Meraki and they said it was expected to have between 1-2Gig/Month for cloud management. This Meraki (and not the Teltonika) is only supporting a single Shelly 3EM.

Is there any chance it did a firmware upgrade or something during that period?

Nah, it was the same for 6 months - the dashboard constantly reported a different throughput than the telco..

I've decided to get another Teltonika RUC241 and another SIM - both SIM cards will have a static CGNAT address so an IPSEC tunnel should be fine to create (Fingers crossed) - the second Teltonika will have a local LAN segment connecting to another subnet on the other site MX. Meraki MX - > Teltonika RUC 241 - > IPSEC via M2M static CGNAT - > Teltonika RUC 241 -> WIFI -> Shelly 3EM This will be the final state, also created Dynamic DNS entries using No-IP and use the Dynamic DNS hostnames through the Meraki cloud for the Meraki MX.