I have a remote office in Shanghai with a dreadful local internet connection (its a serviced office - nothing I can do about the internet connection). It has an MX64. I have another remote office in Hong Kong, also using an MX64.
The AutoVPN was never stable, so a while back I abandoned AutoVPN and instead built a convoluted wireguard VPN solution using Alibaba cloud VPS's (one in Shanghai, one in Hong Kong). The path looked like this...
HK MX >> Wireguard appliance >> HK Alibaba VPS (wireguard) >> SH Alibaba VPS (wireguard) >> Wireguard appliance >> SH MX
Because the cross-border traffic was using Alibaba's backbone between their datacenters the connection was fast and stable for months. Recently however its not been so good, dropping out etc. I just noticed Meraki's vMX's are now available in Alibaba Cloud so this would seem a good opportunity to simplify the setup and bring all the network components into the Meraki world.
But for this to work, I need to make sure the two Alibaba vMX's connect directly to each other, to maintain the path shown above. I cannot have one vMX being a hub and the spokes being my on-prem MX's because traffic it won't traverse the Alibaba backbone and will be subject to China's GFW.
TL;DR: Can Meraki do hub to hub AutoVPN, with separate spokes connected to each hub? Can the 'exit hubs' feature be used for this?
I wasn't aware you could have more than one Hub in an Org, and therefore assumed the only topology available was a hub and spoke setup. Thanks fo the link to the doc, very helpful - not sure why that didn't come up in my google searching.
I now have the trial vMX's setup and running on Alibaba Cloud and part of my Org. However, I'm struggling to get the basic setup working.
My current setup is:
The end goal is this topology:
As a side note, I would prefer to keep the London <> Hong Kong Office AutoVPN as it is as latency is good at 210ms. I would prefer to avoid the scenario below, where these sites are both spokes to the HK vMX as this increases latency between these sites.
...would like to avoid this setup, if possible
Anyway, back to my point, in the vMX's > Security & SD-WAN > Site-to-Site VPN, it says about adding routes to the upstream router.
I presume this means the Alibaba Cloud VPC. Here, I have created static routes for 192.168.110.0/24 (which is the network the HK Office MX64 is in), next hop = ECS instance (HK vMX)
However, with this in place, if I go to the HK Office MX > Appliance Status > Tools > Ping the internal IP of the HK vMX, I get no reply (100% loss).
When looking at Organization > VPN Status, I see all sites connected. On the HK vMX, if I run a packet capture on the site-to-site VPN I get nothing at all🤨