Does Meraki MX84 support Site-to-site VPN Tunnel with non-meraki Dynamic IP Peer?

MackensonE
Conversationalist

Does Meraki MX84 support Site-to-site VPN Tunnel with non-meraki Dynamic IP Peer?

I am new configuring Meraki devices. They ask me to set up a MX84 for site-to-site VPN with a non-meraki devices, some router Cisco C800 that have Dynamic IP. Is that possible?

Does anyone know how to configure this in the MX84?

 

Thank you in advance for your help.

12 Replies 12
Network-dad
A model citizen

I can't find anything saying this is not possible.. most of the back end across the Mx's are the same except certain hardware differences. I know it works for our MX100 so I see no reason it would not work with the MX84.

 

You can create Site-to-site VPN tunnels between the MX appliance and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

  • A name for the remote device or VPN tunnel.
  • The public IP address of the remote device.
  • The subnets behind the third-party device that you wish to connect to over the VPN. 0.0.0.0/0 can also be specified to define a default route to this peer.
  • The IPsec policy to use.
  • The preshared secret key (PSK).
  • Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.

Note that if an MX is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not failover to the WAN, even if the connection goes down.

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
MackensonE
Conversationalist

I know how to create site-to-site VPN between the MX84 and other non-meraki peer devices with static IP address. Just add the IP address in the Public IP address Field and it works. But the problem I have now is that the other non-meraki peers have dynamic IP addresses that are getting changed. 

Network-dad
A model citizen

ohhh.. that would be tricky.. you would need to use some DDNS service or something I would think.. it would be less than ideal but it would work. 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
Nash
Kind of a big deal

I don't think DDNS would help here. Third party tunnels have to use IP addresses by their very nature. 

 

@MackensonE can the remote end get a static IP? Any chance? And maybe a less archaic router while they're at it... 😂

Network-dad
A model citizen

Digging even more into my dashboard I can see even my Z3's can connect to non-Meraki VPN's so I think you should be good to go!
Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
PhilipDAth
Kind of a big deal
Kind of a big deal

>They ask me to set up a MX84 for site-to-site VPN with a non-meraki devices, some router Cisco C800 that have Dynamic IP. Is that possible?

 

No.  You will need a static IP on the 800 series.

MackensonE
Conversationalist

So, you're telling me Meraki does not support site-to-site VPN with dynamic IP peers like a normal ISR router does?

Nash
Kind of a big deal


@MackensonE wrote:

So, you're telling me Meraki does not support site-to-site VPN with dynamic IP peers like a normal ISR router does?


@MackensonE That's correct. Meraki's third-party site-to-site VPN only works with peers who use static IPs.

10101010
Conversationalist

I know this an old post.. however I was able to get around it. The workaround for me was to detect the new ip(spoke side) and run a script to 1) change the configuration of the spoke side router 2) call Meraki MX API can change the "remote ip".. 

DaveMunger
New here

Could you please paste your API call?

10101010
Conversationalist

Cant post my script, however I used thirdPartyVPNPeers API Call. More info at https://documenter.getpostman.com/view/7928889/SVmsVg6K?version=latest

 

CW_KeithP
Conversationalist

Hey so not sure why 10101010 could not share, but I just recreated this for my own use - a PowerShell script that loops, checking public IPs, and making a dashboard call to update the 3rd Party VPN peer when need be. I myself use this on a host that is sitting behind a dynamic IP, since Meraki does not seem to implement IPSec's 'Remote ID' properly.

 

Oh, I also did this with v1 API instead of v0. Just add in your Org ID, API Key, and ensure the user for that API key has full rights. Maybe change the VPN endpoint name too. All variables tagged with ###, and it's in PowerShell but should not be hard to convert to any other lang.

 

 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$url = "https://api.meraki.com/api/v1/organizations/###/appliance/vpn/thirdPartyVPNPeers"

$header = @{
	"Content-Type" = "application/json"
	"Accept" = "application/json"
	"X-Cisco-Meraki-API-Key" = "###"
}

$LastPublicIP = (Invoke-WebRequest ipecho.net/plain).content.trim()
Write-Host "Starting IP is" $LastPublicIP
$LastPublicIP = "0.0.0.0" # This causes an update to always run immediately

Do {
    $CurrentPublicIP = (Invoke-WebRequest ipecho.net/plain).content.trim()

    if ($LastPublicIP -ne $CurrentPublicIP){
        Write-Host "Found IP Change. Last IP was" $LastPublicIP "and new IP is" $CurrentPublicIP ". Updating VPN settings via API!"
        $LastPublicIP = $CurrentPublicIP
        $Peers = ConvertFrom-Json -InputObject (Invoke-WebRequest -Method Get -Uri $url -Headers $header) 
        $Peers.peers | ForEach-Object {
            if($_.name -eq "###") {
                $_.publicIp = $CurrentPublicIP
            }
        }
  
        $resposne = Invoke-RestMethod -Method Put -Uri $url -Body (ConvertTo-Json -InputObject $Peers -Depth 5) -Headers $header
    }

    Start-Sleep -Seconds 5 ### Update to your desired loop time
} While($true)

 

 

You could actually compare the publicIp property from a GET and only do the PUT if it changes, but I did not want to do endless API GET calls due to Meraki rate limiting, lag, etc, so I just use a public IP service.

 

Enjoy folks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels