Azure VMX Mikrotik Site to Site VPN

Brendon1
Just browsing

Azure VMX Mikrotik Site to Site VPN

I am looking for guidance on creating a VPN between a VMX in Azure and Mikrotik RS4011 routers.

I will be handling the Azure & Meraki side of things, someone else will handle the Mikrotik configuration, as I don't administrator the Mikrotik network.

 

We have a VMX100 (by the time this VPN is in place will be upgrading to VMX-M) configured in Azure with a number of MX devices at various locations all connected via Site to Site VPN.  

I've previously configured Site to Site VPN with non-meraki devices to those MX devices (they've since been removed), but this is the first time with a VMX.

 

Is it the correct approach to create a Site-To-Site VPN between the VMX and the Mikrotik routers?

I'd like to avoid adding a second virtual router into Azure just for the Mikrotiks.

 

I've reviewed this thread on what appears to be a similar situation:

https://community.meraki.com/t5/Security-SD-WAN/VPN-IPSec-Compatibility-Meraki-MX250-with-Mikrotik-R...

6 REPLIES 6
alemabrahao
Kind of a big deal
Kind of a big deal

 

Meraki is updating its device-to-cloud connectivity to an architecture that was crafted from the ground up to provide even greater security and simplicity for connectivity.

 

There are some prerequisites that you should keep in mind:

 

 

 

  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:

alemabrahao_1-1669338304859.png

 

  •  

     
    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14

https://documentation.meraki.com/General_Administration/Cross-Platform_Content/Meraki_Device_to_Clou...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

You'll need to think about your traffic flows.   It's not clear how many Mikrotik sites are involved here, nor how traffic is required to flow between locations with MX appliances, Azure and Mikrotik equipped sites.  One thing you won't be able to do;   connect your MX appliances and your Mikrotik routers to the same VMX and have traffic flow from edge to edge using that common VMX hub as a hairpinning point.  If you want an MX site to talk to a Mikrotik site, you will need a direct non-Meraki VPN tunnel directly between (each of) them.

hey,

There would be 3 Mikrotik sites, and there are already 6 Meraki sites (3 branches ranging from 10 to 30 users, and 3 home offices).   

The Meraki Networks generally have 3 VLANs (Network, Client VPN, Phone). 

The Meraki Networks are in a Mesh, but the Mikrotik sites would really only need access to Azure.

All Meraki networks need VPN back to one specific Mikrotik site.

 

So I would expect to create VPN tunnels on:

Mikrotik network

  • All sites to Azure
  • One site to all Meraki networks

 

Meraki network

  • Azure to All Mikrotik sites
  • All sites to one Mikrotik site

In addition to the VPN tunnels I would expect to create Static routes in Azure for Mikrotik network.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know the answer.  But I do know some caveats.

 

The VMX will need to be deployed into an availability zone of "none".  This causes the IP address on the VMX to use a "Basic IP SKU".  If it has a "Standard IP SKU" (caused by specifying an availability zone) then all inbound traffic is blocked by default.

 

If it currently has a "Standard IP SKU" then you have to delete and re-deploying the VMX.

 

Here are some more notes I made a while ago:

https://community.meraki.com/t5/Documentation-Feedback-Beta/VMX-with-client-VPN-or-AnyConnect/m-p/14... 

Thank you for your reply.

 

From what I can tell our zone supports Availability Zones.

I see they have a note regarding this in the install guide...

Brendon1_0-1669748743991.png

 

You'd mentioned Client VPN, but I gather if you aren't in a supported availability zone this would affect Site-To-Site VPN as well.

 

The one issue I've had in the past was I could only do a split tunnel with the VMX. So I could access resources in Azure but not the internet, but I was able to resolve this by unchecking ‘Use default gateway on remote network’ when using Windows VPN client.

 

Anyway, I'm off topic on my own thread.

alemabrahao
Kind of a big deal
Kind of a big deal

Have checked the prerequisites?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.