Meraki

Community

3 sites, 3 MX's, 2 different VPNs: Static routes

Miyo360
Getting noticed
‎Aug 13 2019 2:13 AM
‎Aug 13 2019 2:13 AM

3 sites, 3 MX's, 2 different VPNs: Static routes

Hi,

 

I have an MX in each of my 3 offices;

 

London (spoke)

Hong Kong (hub)

Shanghai (spoke)

 

I have been using AutoVPN for over a year with a constant up/down VPN between HK and Shanghai. Unsurprising. The Shanghai MX is NOT connected to the special Chinese dashboard.

 

The London <> HK AutoVPN is rock solid.

 

I am testing alternatives to replace the AutoVPN for the HK <> Shanghai leg. My current test is using separate wireguard appliances in HK & Shanghai, and a 3rd appliance in the Alibaba cloud, all connected to their own VPN. This works fine, and is stable. See diagram.

 

 

 

 

However, I cannot work out how to configure the static route so clients from London can talk to Shanghai. I added a static route in London for the Shanghai subnet, and next hop 192.168.100.1, then in site-to-site VPN, I set this static route to 'in vpn'. I also added a static route in HK for the Shanghai subnet, and next hop 192.168.110.8 (the wireguard appliance), but pings from London don't get through (I have added a firewall exception on all MX's for ICMP). 

 

Pings from London <> HK are working. Pings from HK <> Shanghai are working. But not London <> Shanghai. Where have I gone wrong?

 

One option is not use AutoVPN at all, and have London also connect to the VPC in Shanghai, but latency to HK office would worse by around 80ms.

 

Thanks in advance.

0 Kudos
11 Replies 11
jdsilva
Kind of a big deal
‎Aug 13 2019 7:29 AM
‎Aug 13 2019 7:29 AM

Is the London subnet in the encryption domain for the Shanghai Wireguard VPN? And do the wireguard devices have routes back to London?

 

It sounds like you have the MXs set up right, but you don't mention anything about what you have set up on the wireguards.

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
In response to jdsilva
Miyo360
Getting noticed
‎Aug 13 2019 7:51 AM
‎Aug 13 2019 7:51 AM

Hi, Thanks.

 

Actually, I'm using VeeamPN as a simple wireguard appliance. Its pretty basic with very little config exposed.

https://www.veeam.com/powered-network.html

 

And do the wireguard devices have routes back to London?

I just checked. In Shanghai, when I run "netstat -rn" on the wireguard appliance, I get

 

 

So, no, Shanghai knows nothing about the London subnet. I'll try and create a static route, but can you advise what the command would be?

 

Is the London subnet in the encryption domain for the Shanghai Wireguard VPN? 

Again, can you advise how I can check this?

 

Much appreciated!

0 Kudos
In response to Miyo360
Miyo360
Getting noticed
‎Aug 13 2019 9:02 AM
‎Aug 13 2019 9:02 AM

Ok, perhaps a better screenshot of the static routes on Shanghai is this

 

0 Kudos
In response to Miyo360
jdsilva
Kind of a big deal
‎Aug 13 2019 9:15 AM
‎Aug 13 2019 9:15 AM

I'm sorry @Miyo360 , I have no experience with VeeamPN so I'm not going to be able to help you with the configuration of that product. But, based on what you're showing me I suspect that the problem lies in the return path from Shanghai back to London. 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Happiman
Building a reputation
‎Aug 13 2019 9:43 AM
‎Aug 13 2019 9:43 AM

Hi Miyo360,

 

So you're trying to get to Shanghai office through ShanghaiVPN(WireguardVPN)?

 

Then traffic will first hop on AutoVPN then,WireguardVPN?

 

image.png

0 Kudos
In response to Happiman
cmr
Kind of a big deal
Kind of a big deal
‎Aug 13 2019 12:50 PM
‎Aug 13 2019 12:50 PM

If you access the internet from the Shanghai office does it go straight out or via the Hong Kong office? If so then plug the MX into the LAN port of the wireguard.  If not then... 

 

At the moment with the wireguard VPN you are advertising 192.168.110.0/24 from HK, can you also advertise 192.168.100.0/24 from HK to Shanghai?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Miyo360
Getting noticed
‎Aug 14 2019 7:46 AM
‎Aug 14 2019 7:46 AM

@cmr wrote:

If you access the internet from the Shanghai office does it go straight out or via the Hong Kong office? If so then plug the MX into the LAN port of the wireguard.  If not then... 

Shanghai office internet goes straight out.

 

@cmr wrote:

At the moment with the wireguard VPN you are advertising 192.168.110.0/24 from HK, can you also advertise 192.168.100.0/24 from HK to Shanghai?

I could if I knew how! From the look of it, the VeeamPN appliance doesn't store the wireguard interface config in the usual location, typically /etc/wireguard/wg0.conf I have searched all over for "wg0.conf" and "wg.veeampn" but can't find the file. I don't think Veeam offer any support for this product, so I may have to look at another solution. 

0 Kudos
In response to Miyo360
Nash
Kind of a big deal
‎Aug 14 2019 8:01 AM
‎Aug 14 2019 8:01 AM

Ouch. If it's business critical, let us be your cheer squad and encourage you to get a solution with support.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
Miyo360
Getting noticed
‎Aug 14 2019 8:35 AM
‎Aug 14 2019 8:35 AM

Yeah, unfortunate. I'll put something on the veeam forums and see what I get back. 

In response to Happiman
Miyo360
Getting noticed
‎Aug 14 2019 7:42 AM
‎Aug 14 2019 7:42 AM

@Happiman wrote:

So you're trying to get to Shanghai office through ShanghaiVPN(WireguardVPN)?

Yes, I'm trying to get Shanghai office through ShanghaiVPN (wireguard VPN)

 

0 Kudos
In response to Miyo360
Happiman
Building a reputation
‎Aug 15 2019 11:48 AM
‎Aug 15 2019 11:48 AM

Hi Miyo360,

 

1) I would create the Shanghai subnet(192.168.120.0/24) on HongKong Meraki so that it gets advertised to London Office.

 

2) You need a static route on HongKong Meraki toward WireguardVPN

     If Dest is 192.168.120.0  then go to 192.168.110.8 

 

3) For return  traffic, you need a static route on Wireguard VPN

   if Dest is 192.168.100.0/22 then go to 192.168.110.1

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.