3 sites, 3 MX's, 2 different VPNs: Static routes

Miyo360
Getting noticed

3 sites, 3 MX's, 2 different VPNs: Static routes

Hi,

 

I have an MX in each of my 3 offices;

 

London (spoke)

Hong Kong (hub)

Shanghai (spoke)

 

I have been using AutoVPN for over a year with a constant up/down VPN between HK and Shanghai. Unsurprising. The Shanghai MX is NOT connected to the special Chinese dashboard.

 

The London <> HK AutoVPN is rock solid.

 

I am testing alternatives to replace the AutoVPN for the HK <> Shanghai leg. My current test is using separate wireguard appliances in HK & Shanghai, and a 3rd appliance in the Alibaba cloud, all connected to their own VPN. This works fine, and is stable. See diagram.

 

 

 

 

However, I cannot work out how to configure the static route so clients from London can talk to Shanghai. I added a static route in London for the Shanghai subnet, and next hop 192.168.100.1, then in site-to-site VPN, I set this static route to 'in vpn'. I also added a static route in HK for the Shanghai subnet, and next hop 192.168.110.8 (the wireguard appliance), but pings from London don't get through (I have added a firewall exception on all MX's for ICMP). 

 

Pings from London <> HK are working. Pings from HK <> Shanghai are working. But not London <> Shanghai. Where have I gone wrong?

 

One option is not use AutoVPN at all, and have London also connect to the VPC in Shanghai, but latency to HK office would worse by around 80ms.

 

Thanks in advance.

11 REPLIES 11
jdsilva
Kind of a big deal

Is the London subnet in the encryption domain for the Shanghai Wireguard VPN? And do the wireguard devices have routes back to London?

 

It sounds like you have the MXs set up right, but you don't mention anything about what you have set up on the wireguards.

Hi, Thanks.

 

Actually, I'm using VeeamPN as a simple wireguard appliance. Its pretty basic with very little config exposed.

https://www.veeam.com/powered-network.html

 


And do the wireguard devices have routes back to London?

I just checked. In Shanghai, when I run "netstat -rn" on the wireguard appliance, I get

 

 

So, no, Shanghai knows nothing about the London subnet. I'll try and create a static route, but can you advise what the command would be?

 

Is the London subnet in the encryption domain for the Shanghai Wireguard VPN? 


Again, can you advise how I can check this?

 

Much appreciated!

Ok, perhaps a better screenshot of the static routes on Shanghai is this

 

jdsilva
Kind of a big deal

I'm sorry @Miyo360 , I have no experience with VeeamPN so I'm not going to be able to help you with the configuration of that product. But, based on what you're showing me I suspect that the problem lies in the return path from Shanghai back to London. 

Happiman
Building a reputation

Hi Miyo360,

 

So you're trying to get to Shanghai office through ShanghaiVPN(WireguardVPN)?

 

Then traffic will first hop on AutoVPN then,WireguardVPN?

 

image.png

cmr
Kind of a big deal
Kind of a big deal

If you access the internet from the Shanghai office does it go straight out or via the Hong Kong office? If so then plug the MX into the LAN port of the wireguard.  If not then... 

 

At the moment with the wireguard VPN you are advertising 192.168.110.0/24 from HK, can you also advertise 192.168.100.0/24 from HK to Shanghai?

Miyo360
Getting noticed


@cmr wrote:

If you access the internet from the Shanghai office does it go straight out or via the Hong Kong office? If so then plug the MX into the LAN port of the wireguard.  If not then... 

Shanghai office internet goes straight out.

 


@cmr wrote:

At the moment with the wireguard VPN you are advertising 192.168.110.0/24 from HK, can you also advertise 192.168.100.0/24 from HK to Shanghai?


I could if I knew how! From the look of it, the VeeamPN appliance doesn't store the wireguard interface config in the usual location, typically /etc/wireguard/wg0.conf I have searched all over for "wg0.conf" and "wg.veeampn" but can't find the file. I don't think Veeam offer any support for this product, so I may have to look at another solution. 

Nash
Kind of a big deal

Ouch. If it's business critical, let us be your cheer squad and encourage you to get a solution with support.

Miyo360
Getting noticed

Yeah, unfortunate. I'll put something on the veeam forums and see what I get back. 


@Happiman wrote:

So you're trying to get to Shanghai office through ShanghaiVPN(WireguardVPN)?


Yes, I'm trying to get Shanghai office through ShanghaiVPN (wireguard VPN)

 

Happiman
Building a reputation

Hi Miyo360,

 

1) I would create the Shanghai subnet(192.168.120.0/24) on HongKong Meraki so that it gets advertised to London Office.

 

2) You need a static route on HongKong Meraki toward WireguardVPN

     If Dest is 192.168.120.0  then go to 192.168.110.8 

 

3) For return  traffic, you need a static route on Wireguard VPN

   if Dest is 192.168.100.0/22 then go to 192.168.110.1

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels