vMX100 - Non-Meraki Peer to Auto VPN Site

Solved
daalliso
Just browsing

vMX100 - Non-Meraki Peer to Auto VPN Site

Trying to get traffic from a non-Meraki network to an Auto VPN network....that goes across an Azure vMX.  The vMX has routes to both networks....1.1.1.X and 2.2.2.X and both VPNs are online.

 

1.1.1.X-----Non-Meraki Peer---VPN---vMX100---Auto VPN---MX84---2.2.2.X

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

It would not make any difference.  Both can do local routing fine.

 

What you are asking for is VPN hair pinning between a non-Meraki VPN and a Meraki VPN - and they don't do that.

View solution in original post

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

That does not work. You need  also the 3rd party vpn to the mx84

 

https://www.willette.works/merging-meraki-vpns/

daalliso
Just browsing

So, the vMX100 will not route between the two tunnels?  So, I will need to create site-to-site tunnels from every Auto VPN spoke to the 3rd party VPN? 

 

Doesn't that waste the whole hub-spoke benefit of Meraki?  It seems creating one VPN to the 3rd party from the vMX100 would be a lot simpler than hundreds of 3rd party VPNs from the MX84s.

PhilipDAth
Kind of a big deal
Kind of a big deal

>It seems creating one VPN to the 3rd party from the vMX100 would be a lot simpler than hundreds of 3rd party VPNs from the MX84s.

 

if you want to do that then terminate the third party VPN on the Azure VPN gateway for Strongswan on Ubuntu, and then just put routes between the two systems.  You can include static routes into AutoVPN.

daalliso
Just browsing

Thanks!  One final question... 🙂  Would a similar workaround be needed if the headend was a MX450 instead of a vMX100...physcial device vs virtual?

 

I have been routing since the Novell days, including 6 years at Cisco HTTS/TAC, and I am trying to wrap my head around why the vMX100 cannot route between two subnets in its routing table.

PhilipDAth
Kind of a big deal
Kind of a big deal

It would not make any difference.  Both can do local routing fine.

 

What you are asking for is VPN hair pinning between a non-Meraki VPN and a Meraki VPN - and they don't do that.

daalliso
Just browsing

Ok....thanks!  I will "make a wish "to make VPN hair pinning possible, especially from the headends.

 

I did it on a PIX 520 probably 20 years ago now when VPNs first came out.

Get notified when there are additional replies to this discussion.