Multiple Meraki MX to google cloud

CSI
Comes here often

Multiple Meraki MX to google cloud

Anybody successfully connecting site 2 site VPN from multiple MX's to google cloud with multiple VPC's / subnets ? First one works with out issue, second one fails because the same remote peer subnets cannot be associated with multiple customer remote locations Do to Europe's new regulations we need customer data residing in Europe VPC but the rest of our systems are in the US East. Google allows you transverse their backbone from an ingress point. Due to latency issues in Asia and the PAC rim a central ingress in the US is not sustainable. I'd appreciate it if someone who has this working can share their solution
5 Replies 5
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

I assume your using 3rd party VPN to connect these? If so you cannot have overlapping subnets. This works with our vMX for AWS and Azure since you can have overlapping subnets with AutoVPN but not 3rd party VPN. Since Cisco did announce a partnership with google cloud I wouldn't be surprised one day we will support a virtual MX with Google, but nothing near term.

PhilipDAth
Kind of a big deal
Kind of a big deal

Are you using the same subnet in multiple Google cloud locations?

 

If so - you really need to change that.  That is going to cause you all sorts of grief in the future.  You want every site to have a unique subnet.

CSI
Comes here often

NO each Google Area (geographic location) has a VPC with a unique subnet. But google allows you to transverse their backbone to get to a different VPC/subnet. The problem is all the remote sites try to access multiple VPC's; each with a unigue subnet; it fails. Say you have an upstream vendor with non-Meraki FW and want to do an IPSEC tunnel from each of your branches. Because the remote peers subnet would have to be entered into each Meraki's access list for the tunnel; it will not allow you configure this This is major fault in Meraki's non-auto/Meraki site2site VPN
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Our focus to scale to multiple DCs and beyond isn’t using proprietary IPSEC methods. SD-WAN and routing between DCs requires routing protocols and/or methods beyond what can be accomplished with standard protocols. With that said, our answer still stands, we can facilitate this design with our AutoVPN and SDWAN technologies. This won’t be supported with 3rd party vpns. This is supported on AWS and Azure currently as for Google this will take some time before this is supported.
PhilipDAth
Kind of a big deal
Kind of a big deal

We typically solve this issue using Ubuntu and Strongswan (when you can't deploy vMX).

 

Basically you configure Strongswan to only accept VPN's, not make them.  It then matches on the subnets in the SA negotiation.  Then you can have lots of branches using non-Meraki VPN directly to the Ubuntu box.

Get notified when there are additional replies to this discussion.