Non-Meraki VPN to third-party

Solved
dmbooth
Here to help

Non-Meraki VPN to third-party

If a Non-Meraki VPN tunnel is required to connect a Secure Connect site to a third-party, can this be done as normal in Organisation wide settings > Non-Meraki VPN peers on the Security & SD-WAN > Site-to-site VPN page, as you would for a normal (non Secure Connect) Meraki site? Or does the traffic have to go through the Secure Connect tunnel with the Non-Meraki tunnel configured in Secure Connect > Network Tunnels? Thanks

1 Accepted Solution
Gary_Geihsler1
Meraki Employee
Meraki Employee

If the tunnel is terminating on a non-Meraki device you would use the Secure Connect>Network Tunnels section. As you are not creating a tunnel from a Meraki network to the third party you would not use the Meraki tunnel process. Documentation here

View solution in original post

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know - but I expect you should still be able to create a non-Meraki tunnel in this way.

Gary_Geihsler1
Meraki Employee
Meraki Employee

If the tunnel is terminating on a non-Meraki device you would use the Secure Connect>Network Tunnels section. As you are not creating a tunnel from a Meraki network to the third party you would not use the Meraki tunnel process. Documentation here

dmbooth
Here to help

Thanks Gary. It was when I found the page in documentation you have referred to that made me think the regular non-Meraki VPN might not work. Once the non-Meraki tunnel is configured in the Network Tunnels section is anything else required to route traffic from the Meraki sites, or is routing information passed to sites as soon as the tunnels are configured?

Gary_Geihsler1
Meraki Employee
Meraki Employee

If meraki sites are connected to Secure Connect via AutoVPN they will automatically be advertising to Secure Connect reachable subnets. 

Gary_Geihsler1_0-1709940065701.png

 

When you connect a non-meraki device via IPsec you will also define the routable subnets in the configuration. Once both tunnels are connected, you would need to enable a source-destination cloud firewall rule to allow connectivity as the default private app and network rule is a deny all. then the sites would be able to communicate with each other. 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Good information @Gary_Geihsler1 .  I must get a licence for this so I can play with it.

Get notified when there are additional replies to this discussion.