IPsec tunnel between vMX and third-party

DTellez
Here to help

IPsec tunnel between vMX and third-party

Hello everybody.

 

I have one question, beacause I think the doc isn't clear.

 

When I make a IPsec tunnel between vMX and third-party with All network tags in Availability. All my remote sites (networks) in my organization bring up a tunnel with a non-meraki equipment? Or is just for routing?

 

I have with vMX as hub, and MX67 in remote sites, all networks in the same organization.

 

If I only bring up a IPsec tunnel tagging vMX network in Availability, other sites can reach the non-meraki network? Is it neccesary to install the network in VPN settings to advertise to the spokes?

 

My requirements is only have one tunnel between vMX and non-meraki, and all the spokes in the same organization can access to te remote non-meraki network.

 

DTellez_0-1753361623530.png

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

 

On the doc I read

 

  1. Availability settings to determine which appliances in your dashboard organization will connect to the Non-Meraki peer. Only networks with a network tag associated under Organization > Overview can be selected in the availability section.

 

What is 'connect' mean? Establishing tunnel or a routing adversited for the hub?

 

Thank you for reading.

 

Regards.

 

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

If you do not specify a tag for the networks, all networks (that have MX) will try to establish the VPN tunnel.

 

alemabrahao_0-1753363805326.png

 

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Another detail is that if you establish a VPN tunnel only with the HUB, the spokes will not be able to access the remote peer's resources, since a non-Meraki VPN is not routed to the SD-WAN, that is, you will need to establish a VPN tunnel between each MX and the remote peer.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
DTellez
Here to help

You mean the non-Meraki is acting as hub, right? Because it needs to bring up tunnels with all the spokes, if if I want it to have connectivity.

alemabrahao
Kind of a big deal
Kind of a big deal

Yes

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MilesMeraki
Head in the Cloud

Assuming the non meraki VPN device supports BGP over IPSEC, you could achieve this by using BGP over non meraki VPN and then IBGP for the auto VPN?

 

https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN

 

 

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
DTellez
Here to help

Can you share with me documentation about  IBGP for the auto VPN, please? Thank you.

Get notified when there are additional replies to this discussion.