Connecting two non-meraki S2S VPN peers on HA MX100 setup

Foxo
Here to help

Connecting two non-meraki S2S VPN peers on HA MX100 setup

I have an unusual case where I want a new non-meraki S2S VPN peer to be able to talk to another non-meraki S2S VPN peer on our network. For various reasons we are not able to bridge the two non-meraki peers directly and they can only bridge via our network. We basically want to set something like this up - https://community.cisco.com/t5/security-documents/routing-traffic-between-two-site-to-site-vpn-tunne...

 

I'm trying to figure out how this can be accomplished in the year of 2021.

Seems this could go two ways...

 

  1. Bridge inside of MX device - now that Meraki supports IKE2 route-based VPNs (after a FW update...) I am curious if this can be accomplished entirely within the Meraki appliances now.
  2. Add an extra device - it seems I could purchase a third device (another Meraki, an EdgeRouter, something), connect one of the S2S VPN to that, and then setup a route between the MX and the 3rd party device to make this happen?

 

Can anybody help me better understand these concepts and how I could possibly accomplish them? I'm a bit out of my depth and on a time crunch, of course.

 

Environment: Two MX100s setup in HA, two dedicated fiber lines, I *may* have spare IPs on each line... let's assume I do for now for option 2. The existing S2S VPN uses IKE1, while the other VPN supports IKE2, it seems they prefer IKE2 route based policy. 

5 REPLIES 5
PhilipDAth
Kind of a big deal

Re: Connecting two non-meraki S2S VPN peers on HA MX100 setup

To be clear, you are "B" and the remote sites "A" and "C", and you want them to have a VPN to you and you alone, and you want "A" and "C" to be able to talk to each other.

 

You can't do this using non-Meraki VPNs (IKEv2 or otherwise).  On Meraki, traffic from one non-Meraki VPN can not hairpin and go down another non-Meraki VPN.

 

You would need to add an additional device to do this.  I quite like using StrongSwan on Ubuntu in a VM.  It's free and pretty good.  A steep learning curve if you have not done this before.

My second choice would be a little Cisco IOS-XE router, such as something from the 1100 series.  Very powerful and flexible.    A steep learning curve if you have not done this before.

 

Easy options would be for you to buy a little Z3 for each of the remote sites "A" and "C".  Run it in VPN concentrator mode behind their existing firewalls.  Tell them to pretend it is a dedicated WAN router (like MPLS).  You use AutoVPN to link everything together.  Sites "A" and "C" just add static routes to those Z3s.  Complexity low.  Monitoring excellent.  Very reliable and mostly self-healing if a fault occurs.

 

 

Bruce
Kind of a big deal

Re: Connecting two non-meraki S2S VPN peers on HA MX100 setup

I’m trying to go through all the caveats around site-to-site in my head to see if there are any that should prevent this working. In the end the best thing you can do is give it a try and see what does and doesn’t work.

 

If the MX100 is connected to both the third party firewalls and you’re not trying to connect to them across an AutoVPN, only from where the MX100 is located then it may work. The routing table on the MX should populate with the subnets that are used as part of the IPSec SA exchange, so the MX site should be able to communicate with the other two, and vice-versa (so long as you ‘include’ the local subnets in the VPN). The only issue may well be communication from one third party firewall to the other, via the MX. You’ll definitely need to add routes into the third party firewalls so they know how to get to the other via the MX, but what I’m not sure about is whether the MX will allow traffic from one site-to-site third party VPN to another site-to-site third party VPN, even when it’s on the same appliance.

 

If you have all the kit why not try it? If it doesn’t work you’ll need to buy a third party appliance that can do the VPN to VPN routing, and probably sit it behind the MX. With multiple IP addresses you would even be able to do 1:1 NAT of a public IP address on the MX to the new appliance if you need to.

Foxo
Here to help

Re: Connecting two non-meraki S2S VPN peers on HA MX100 setup

Philip - that is correct, we are the B site. I was afraid that would be the answer 😅

 

Unfortunately we have no control over the entities on the other ends (both quasi-cloud providers) and couldn't deploy a Z3. One of them does not want to allow a direct connection despite already connecting to us. We might have found a non-VPN workaround to this issue that appeases both parties, but need to keep all the options open. 

 

I like the sound of the StrongSwan VPN but I'm sure that is complicated. Does it require a static IP? Do you do consulting? (half serious - if it came down to it we might need to do this)

 

Bruce, like Philip said - it looks like the Meraki can't pass traffic between two S2S VPNs. I am not familiar enough with these aspects of networking, but it's a bummer!

 

I have read that you can buy another appliance to accomplish this behind the Meraki, but it is not super clear to me how that would end up actually functioning with the Meraki and I don't want to over-promise my company on what can be done. 

 

Your guidance is appreciated!

PhilipDAth
Kind of a big deal

Re: Connecting two non-meraki S2S VPN peers on HA MX100 setup

>I like the sound of the StrongSwan VPN but I'm sure that is complicated. Does it require a static IP?

 

Yes.

 

If both are cloud providers, could you not build a VPN directly between them and cut "B" out of the picture?

Foxo
Here to help

Re: Connecting two non-meraki S2S VPN peers on HA MX100 setup

One of the "cloud" providers is not a major cloud provider but an application cloud provider and appears to be extremely adverse to allowing us to get them to S2S with another site over "security concerns". We don't have a lot of room to argue with them.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.