Trying to get traffic from a non-Meraki network to an Auto VPN network....that goes across an Azure vMX. The vMX has routes to both networks....1.1.1.X and 2.2.2.X and both VPNs are online.
1.1.1.X-----Non-Meraki Peer---VPN---vMX100---Auto VPN---MX84---2.2.2.X
Solved! Go to solution.
It would not make any difference. Both can do local routing fine.
What you are asking for is VPN hair pinning between a non-Meraki VPN and a Meraki VPN - and they don't do that.
That does not work. You need also the 3rd party vpn to the mx84
So, the vMX100 will not route between the two tunnels? So, I will need to create site-to-site tunnels from every Auto VPN spoke to the 3rd party VPN?
Doesn't that waste the whole hub-spoke benefit of Meraki? It seems creating one VPN to the 3rd party from the vMX100 would be a lot simpler than hundreds of 3rd party VPNs from the MX84s.
>It seems creating one VPN to the 3rd party from the vMX100 would be a lot simpler than hundreds of 3rd party VPNs from the MX84s.
if you want to do that then terminate the third party VPN on the Azure VPN gateway for Strongswan on Ubuntu, and then just put routes between the two systems. You can include static routes into AutoVPN.
Thanks! One final question... 🙂 Would a similar workaround be needed if the headend was a MX450 instead of a vMX100...physcial device vs virtual?
I have been routing since the Novell days, including 6 years at Cisco HTTS/TAC, and I am trying to wrap my head around why the vMX100 cannot route between two subnets in its routing table.
It would not make any difference. Both can do local routing fine.
What you are asking for is VPN hair pinning between a non-Meraki VPN and a Meraki VPN - and they don't do that.
Ok....thanks! I will "make a wish "to make VPN hair pinning possible, especially from the headends.
I did it on a PIX 520 probably 20 years ago now when VPNs first came out.