Meraki

Community

IPsec tunnel between vMX and third-party

DTellez
Here to help
‎Jul 24 2025 5:55 AM
‎Jul 24 2025 5:55 AM

IPsec tunnel between vMX and third-party

Hello everybody.

 

I have one question, beacause I think the doc isn't clear.

 

When I make a IPsec tunnel between vMX and third-party with All network tags in Availability. All my remote sites (networks) in my organization bring up a tunnel with a non-meraki equipment? Or is just for routing?

 

I have with vMX as hub, and MX67 in remote sites, all networks in the same organization.

 

If I only bring up a IPsec tunnel tagging vMX network in Availability, other sites can reach the non-meraki network? Is it neccesary to install the network in VPN settings to advertise to the spokes?

 

My requirements is only have one tunnel between vMX and non-meraki, and all the spokes in the same organization can access to te remote non-meraki network.

 

DTellez_0-1753361623530.png

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

 

On the doc I read

 

  1. Availability settings to determine which appliances in your dashboard organization will connect to the Non-Meraki peer. Only networks with a network tag associated under Organization > Overview can be selected in the availability section.

 

What is 'connect' mean? Establishing tunnel or a routing adversited for the hub?

 

Thank you for reading.

 

Regards.

 

0 Kudos
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 24 2025 6:28 AM
‎Jul 24 2025 6:28 AM

If you do not specify a tag for the networks, all networks (that have MX) will try to establish the VPN tunnel.

 

alemabrahao_0-1753363805326.png

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 24 2025 6:39 AM
‎Jul 24 2025 6:39 AM

Another detail is that if you establish a VPN tunnel only with the HUB, the spokes will not be able to access the remote peer's resources, since a non-Meraki VPN is not routed to the SD-WAN, that is, you will need to establish a VPN tunnel between each MX and the remote peer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
DTellez
Here to help
‎Jul 27 2025 11:12 PM
‎Jul 27 2025 11:12 PM

You mean the non-Meraki is acting as hub, right? Because it needs to bring up tunnels with all the spokes, if if I want it to have connectivity.

0 Kudos
In response to DTellez
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 28 2025 3:28 AM
‎Jul 28 2025 3:28 AM

Yes

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
MilesMeraki
Head in the Cloud
‎Jul 25 2025 5:04 AM
‎Jul 25 2025 5:04 AM

Assuming the non meraki VPN device supports BGP over IPSEC, you could achieve this by using BGP over non meraki VPN and then IBGP for the auto VPN?

 

https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
0 Kudos
In response to MilesMeraki
DTellez
Here to help
‎Jul 27 2025 11:10 PM
‎Jul 27 2025 11:10 PM

Can you share with me documentation about  IBGP for the auto VPN, please? Thank you.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
© 2025 Cisco Systems, Inc.