Meraki

Community

Bridging AutoVPN, IPSECVPN and BGP

RichardChen1
Getting noticed
‎Sep 14 2019 4:12 AM
‎Sep 14 2019 4:12 AM

Bridging AutoVPN, IPSECVPN and BGP

Hi Everyone,

 

Need your help with the below design.

Existing setup:

Existing setupExisting setup

 

Existing setup:

IPVAS FW:

- Internet FW

- establish traditional ikev1 ipsec vpn to Cisco 800 router and Peplink router

- all remote sites is able to reach MPLS subnets via IPVAS

- all MPLS subnets is able to reach remote offices LAN vai IPVAS

 

 

New SetupNew Setup

 

New setup:

Remove IPVAS in DC

Add new Internet connection in HQ and terminate to MX84

 

The goals of the new setup are:

  1. - MX84 to route internet (default route) for MPLS network: BGP with HQ MPLS router
  2. - MX84 to run Non-Meraki VPN with remote offices Peplink. 
  3. - MX84 to run AutoVPN with remote offices new MX. 
  4. - Peplink learn all MPLS route + AutoVPN route from MX84
  5. - Remote MX learn all MPLS route + AutoVPN route from MX84

 

Need everyone's feedback on how to achieve above goals:

  1. Enable BGP on MX84 - it should learn all MPLS route from MPLS router. MPLS router advertise default route to MPLS network???

  2. https://www.willette.works/merging-meraki-vpns/

    Non-Meraki VPN routes are not advertised to AutoVPN peers. - How to have MX84 redistribute all peplink subnet to MPLS?

  3. 4,5 How? static route?

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 15 2019 1:12 AM
‎Sep 15 2019 1:12 AM

For three sites - don't waste your time with BGP.  That is overly complicating the configuration for no gain.

 

Configure the MPLS network to have a default route to the MX84.  And static routes on the MX84 pointing back to the MPLS router for the two sites.

 

You can't hairpin AutoVPN and non-Meraki IPSec VPN traffic.  SotThe remote office(s) using IPSec (assuming it terminates on the HQ MX84) will be able to talk to the MPLS sites and vice versa, but wont be able to talk to the AutoVPN sites and vice versa.

In response to PhilipDAth
RichardChen1
Getting noticed
‎Sep 15 2019 4:02 AM
‎Sep 15 2019 4:02 AM

Hi Philip,

 

There are 5 MPLS sites with one voice/data/wan subnet each, plus around 5 /27 SIP ITSP subnets.

 

Is BGP or OSPF still a good option?

 

 

With regards to "AutoVPN and non-Meraki IPSec VPN traffic", is below the only solution?

https://www.willette.works/merging-meraki-vpns/

This is not good, as currently the IPVAS is able route between all MPLS subnets and all remote ipsec vpn subnets.

Do I have to replace all Cisco IPSEC router with MX?

0 Kudos
In response to RichardChen1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 15 2019 9:48 PM
‎Sep 15 2019 9:48 PM

I would use BGP over OSPF.

 

Yes, you need to use two devices to allow AutoVPN devices to be alble to talk to none-Meraki site to site VPN remote sites.

 

Replacing all remote site routers with MX units so you can use AutoVPN everywhere will make your life simple.  I would do this as my first option.  You wont need to use dynamic routing as well then.

In response to PhilipDAth
Lola2478
New here
‎Sep 16 2019 12:48 AM
‎Sep 16 2019 12:48 AM

@MyPrepaidBalance wrote:

I would use BGP over OSPF.

 

Yes, you need to use two devices to allow AutoVPN devices to be alble to talk to none-Meraki site to site VPN remote sites. 

 

Replacing all remote site routers with MX units so you can use AutoVPN everywhere will make your life simple.  I would do this as my first option.  You wont need to use dynamic routing as well then.

Configure the MPLS network to have a default route to the MX84.  And static routes on the MX84 pointing back to the MPLS router for the two sites.

 

You can't hairpin AutoVPN and non-Meraki IPSec VPN traffic.  SotThe remote office(s) using IPSec (assuming it terminates on the HQ MX84) will be able to talk to the MPLS sites and vice versa, but wont be able to talk to the AutoVPN sites and vice versa.

0 Kudos
RichardChen1
Getting noticed
‎Sep 30 2019 1:50 PM
‎Sep 30 2019 1:50 PM

Hi Everyone,

I have done the first part: Internet terminate on HQ MX84 with static route for MPLS subnets point back to the HQ MPLS router IP.
It works perfectly.

 

When I tried to create a nonautovpn peer and advertise one of the MPLS subnet which is part of the static route, the MX gave the error msg saying it is overlapping.

 


My next target is to address above "Non-Meraki VPN routes are not advertised to AutoVPN peers." - need further feedback:
There is not enough budget on replacing the 3rd party VPN device with MX.

Here is what I proposed: - using the HQ CISCO 2901 MPLS to be the HUB of the IPSEC VPN
1. Port forward UDP 500/4500 to the HQ 2901 router LAN interface ip
2. Create traditional ipsec vpn between HQ2901 and remote peplink device
3. Create vpn ACL to route peplink subnets via ipsec vpn and vice versa

 


Will this work?

0 Kudos
In response to RichardChen1
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 30 2019 2:08 PM
‎Sep 30 2019 2:08 PM

Yes, plus one extra step.  You add a static route on the MX via the 2901 for the remote-VPN subnets and include that route in AutoVPN.

0 Kudos
In response to PhilipDAth
RichardChen1
Getting noticed
‎Sep 30 2019 10:08 PM
‎Sep 30 2019 10:08 PM

Thank you, will give it a try soon.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.