Meraki

Community

AutoVPN and Non Meraki VPN

Solved
Billy_R
New here
‎Apr 9 2024 9:55 AM
‎Apr 9 2024 9:55 AM

AutoVPN and Non Meraki VPN

I have several MX68's and 2 MX95 all setup in an auto vpn mesh.  We have a need to have a non Meraki VPN connections setup going out to hosts not part of our network.  Do these appliances handle having both connections setup at the same time and can they route traffic accordingly?

0 Kudos
1 Accepted Solution
In response to Billy_R
alemabrahao
Kind of a big deal
‎Apr 9 2024 11:11 AM
‎Apr 9 2024 11:11 AM

Yes, both auto VPN and a non-Meraki VPN can coexist without problems, just make sure that the peer's network will not overlap with yours and everything is fine.

 

Site-to-Site VPN Settings - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

8 Replies 8
alemabrahao
Kind of a big deal
‎Apr 9 2024 10:36 AM
‎Apr 9 2024 10:36 AM

A non-Meraki VPN does not participate in SD-WAN, meaning it is necessary to create a tunnel with each MX so that they can access the non-Meraki VPN network.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Billy_R
New here
‎Apr 9 2024 10:41 AM
‎Apr 9 2024 10:41 AM

I wouldn't want it to participate with the other meraki's.  Basically, we have our auto vpn mesh for corporate data and we have a need to create seperate vpn tunnels out to a datacenter elsewhere that will not participate or be connected at all to any of the corporate network.

I just wanted to make sure the devices would support the connections at the same time and be able to route traffic based on which port/vlan is being used to go out a specific vpn tunnel, either the auto vpn or the non meraki vpn.

Essentially a seperation of traffic, entirely, where one is not aware of nor can it interact with the other.

0 Kudos
In response to Billy_R
alemabrahao
Kind of a big deal
‎Apr 9 2024 10:47 AM
‎Apr 9 2024 10:47 AM

Are you talking about PBR?

 

https://documentation.meraki.com/Architectures_and_Best_Practices/Cisco_Meraki_Best_Practice_Design/...)

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
Billy_R
New here
‎Apr 9 2024 11:06 AM
‎Apr 9 2024 11:06 AM

Not necessarily, but that might be an option.

So, better detail here.

We have multiple sites, all using AutoVPN and advertising vlans for each site into that tunnel.  Thats good, all working.

We are now needing to add a second vpn connection (site to site) with a 3rd party vendor that will only be for a very specific set of devices and traffic that is not part of the AutoVPN mesh and nothing from the auto vpn should traverse this tunnel and nothing for this tunnel should traverse into the autovpn.

This of it as a PCI complaince setup where we have a network of devices completely seperate from our normal corporate network and can have no mixing of data at all and must keep everything 100% seperate.

Do the MX68's and MX95's support such a configuration where we have a live auto vpn as well as a live ipsec tunnel going somewhere else?

0 Kudos
In response to Billy_R
alemabrahao
Kind of a big deal
‎Apr 9 2024 11:11 AM
‎Apr 9 2024 11:11 AM

Yes, both auto VPN and a non-Meraki VPN can coexist without problems, just make sure that the peer's network will not overlap with yours and everything is fine.

 

Site-to-Site VPN Settings - Cisco Meraki Documentation

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to Billy_R
Suresh_stp
New here
2 weeks ago
2 weeks ago

Did it work? I need same setup like two vlans via separate IPSec tunnel to third party vendor.But we need it for only internet traffic. So If I mention the default route( 0.0.0.0/0) on the Non- VPN Meraki VPN peer tunnel config, our internal Vlans internet traffic also getting routed through this tunnel ( Internal traffic is fine, still goes via Auto VPN )

0 Kudos
In response to Suresh_stp
tnco
Getting noticed
2 weeks ago
2 weeks ago

If you are using two Non-merakis and have a configuration with overlapping subnets, I don't think this is a supported configuration as per the following document.

Do you have specific configuration diagrams?

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Private_Subnet_Configur...

 

Also, if you want to configure two tunnels with the same subnet as a redundant configuration, there are two methods in the following document.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Primary_and_Secondary_IPsec_VPN_Tunnels

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

0 Kudos
Suresh_stp
New here
2 weeks ago
2 weeks ago

Thanks. As per Meraki TAC, it is not supported when you mention the default route on the Non-Meraki VPN Peer Tunnel config for internet traffic. MX85 considers all VPNs ( Auto VPN + Non-Meraki VPN ) to be the same route when you mention the default route on the IPSec config. There is no way to send Internal Vlan internet Traffic via Auto VPN separately.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.