Communication between Meraki VPN connected locations and non Meraki connected VPN Locations

SOLVED
RajaSekhar
Here to help

Communication between Meraki VPN connected locations and non Meraki connected VPN Locations

We use Meraki MX 250 at Hub and MX 64 / 65 at spoke locations. Connectivity is seamless and works well.

We created a non-Meraki VPN between MX 250 (from Hub location) and AWS Cloud i.e IPsec VPN.

Able to reach AWS IP subnet from HUB, but not from spokes (MX 64 / 65), whereas all the spokes can reach the HUB without any issue.

AWS confirmed that they are allowing all the subnets of ours i.e 192.168.0.0

Can anyone advise?

1 ACCEPTED SOLUTION
ww
Kind of a big deal
Kind of a big deal

6 REPLIES 6
ww
Kind of a big deal
Kind of a big deal

I think the spoke do not know the AWS routes?

https://www.willette.works/merging-meraki-vpns/

Helpful document. Thank you.
Is there a way to address this without an additional MX ?
Observed that all the Spoke MXs have the route to AWS i.e NON-Meraki IPSec VPN is visible. Of course, they cannot connect directly to AWS.
Nash
Kind of a big deal

The generally accepted solution is to use an additional firewall to terminate the third party VPN connections, either inside another Meraki organization or using a different model of firewall entirely.

 

Your other option is to stand up tunnels between your spokes and your third party VPN. 

 

It's currently working as intended when AutoVPN won't let you use third party tunnels.

Thank you. Shall plan for an additional MX as there is no proven option other than it.

Thank you for your inputs.

The DOCUMENT shared by you helped & worked.

 

Regards,

RajaSekhar

PhilipDAth
Kind of a big deal
Kind of a big deal

You can not route a spoke through AutoVPN and then out a non-Meraki VPN.

 

You need to build a VPN from each spoke to the non-Meraki destination.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels