Meraki

Community

Does Meraki MX84 support Site-to-site VPN Tunnel with non-meraki Dynamic IP Peer?

MackensonE
Conversationalist
‎Oct 4 2019 9:37 AM
‎Oct 4 2019 9:37 AM

Does Meraki MX84 support Site-to-site VPN Tunnel with non-meraki Dynamic IP Peer?

I am new configuring Meraki devices. They ask me to set up a MX84 for site-to-site VPN with a non-meraki devices, some router Cisco C800 that have Dynamic IP. Is that possible?

Does anyone know how to configure this in the MX84?

 

Thank you in advance for your help.

12 Replies 12
Network-dad
A model citizen
‎Oct 4 2019 10:27 AM
‎Oct 4 2019 10:27 AM

I can't find anything saying this is not possible.. most of the back end across the Mx's are the same except certain hardware differences. I know it works for our MX100 so I see no reason it would not work with the MX84.

 

You can create Site-to-site VPN tunnels between the MX appliance and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

  • A name for the remote device or VPN tunnel.
  • The public IP address of the remote device.
  • The subnets behind the third-party device that you wish to connect to over the VPN. 0.0.0.0/0 can also be specified to define a default route to this peer.
  • The IPsec policy to use.
  • The preshared secret key (PSK).
  • Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.

Note that if an MX is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not failover to the WAN, even if the connection goes down.

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
0 Kudos
In response to Network-dad
MackensonE
Conversationalist
‎Oct 4 2019 10:34 AM
‎Oct 4 2019 10:34 AM

I know how to create site-to-site VPN between the MX84 and other non-meraki peer devices with static IP address. Just add the IP address in the Public IP address Field and it works. But the problem I have now is that the other non-meraki peers have dynamic IP addresses that are getting changed. 

In response to MackensonE
Network-dad
A model citizen
‎Oct 4 2019 10:59 AM
‎Oct 4 2019 10:59 AM

ohhh.. that would be tricky.. you would need to use some DDNS service or something I would think.. it would be less than ideal but it would work. 

Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
0 Kudos
In response to Network-dad
Nash
Kind of a big deal
‎Oct 4 2019 3:52 PM
‎Oct 4 2019 3:52 PM

I don't think DDNS would help here. Third party tunnels have to use IP addresses by their very nature. 

 

@MackensonE can the remote end get a static IP? Any chance? And maybe a less archaic router while they're at it... 😂

Windows 10 Client VPN scripts: Makes life better!
Network-dad
A model citizen
‎Oct 4 2019 10:34 AM
‎Oct 4 2019 10:34 AM

Digging even more into my dashboard I can see even my Z3's can connect to non-Meraki VPN's so I think you should be good to go!
Dakota Snow | Network-dad Linkdedin
CMNO | A+ | ECMS2
Check out The Bearded I.T. Dad onThe Bearded I.T. DadThe Bearded I.T. Dad
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 4 2019 5:52 PM
‎Oct 4 2019 5:52 PM

>They ask me to set up a MX84 for site-to-site VPN with a non-meraki devices, some router Cisco C800 that have Dynamic IP. Is that possible?

 

No.  You will need a static IP on the 800 series.

0 Kudos
In response to PhilipDAth
MackensonE
Conversationalist
‎Oct 7 2019 1:54 PM
‎Oct 7 2019 1:54 PM

So, you're telling me Meraki does not support site-to-site VPN with dynamic IP peers like a normal ISR router does?

0 Kudos
In response to MackensonE
Nash
Kind of a big deal
‎Oct 7 2019 1:55 PM
‎Oct 7 2019 1:55 PM

@MackensonE wrote:

So, you're telling me Meraki does not support site-to-site VPN with dynamic IP peers like a normal ISR router does?

@MackensonE That's correct. Meraki's third-party site-to-site VPN only works with peers who use static IPs.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
10101010
Conversationalist
‎Jun 22 2020 7:10 AM
‎Jun 22 2020 7:10 AM

I know this an old post.. however I was able to get around it. The workaround for me was to detect the new ip(spoke side) and run a script to 1) change the configuration of the spoke side router 2) call Meraki MX API can change the "remote ip".. 

In response to 10101010
DaveMunger
New here
‎Jul 6 2020 7:20 PM
‎Jul 6 2020 7:20 PM

Could you please paste your API call?

0 Kudos
In response to DaveMunger
10101010
Conversationalist
‎Jul 7 2020 11:45 AM
‎Jul 7 2020 11:45 AM

Cant post my script, however I used thirdPartyVPNPeers API Call. More info at https://documenter.getpostman.com/view/7928889/SVmsVg6K?version=latest

 

0 Kudos
CW_KeithP
Conversationalist
‎Feb 9 2022 5:09 AM
‎Feb 9 2022 5:09 AM

Hey so not sure why 10101010 could not share, but I just recreated this for my own use - a PowerShell script that loops, checking public IPs, and making a dashboard call to update the 3rd Party VPN peer when need be. I myself use this on a host that is sitting behind a dynamic IP, since Meraki does not seem to implement IPSec's 'Remote ID' properly.

 

Oh, I also did this with v1 API instead of v0. Just add in your Org ID, API Key, and ensure the user for that API key has full rights. Maybe change the VPN endpoint name too. All variables tagged with ###, and it's in PowerShell but should not be hard to convert to any other lang.

 

 

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

$url = "https://api.meraki.com/api/v1/organizations/###/appliance/vpn/thirdPartyVPNPeers"

$header = @{
	"Content-Type" = "application/json"
	"Accept" = "application/json"
	"X-Cisco-Meraki-API-Key" = "###"
}

$LastPublicIP = (Invoke-WebRequest ipecho.net/plain).content.trim()
Write-Host "Starting IP is" $LastPublicIP
$LastPublicIP = "0.0.0.0" # This causes an update to always run immediately

Do {
    $CurrentPublicIP = (Invoke-WebRequest ipecho.net/plain).content.trim()

    if ($LastPublicIP -ne $CurrentPublicIP){
        Write-Host "Found IP Change. Last IP was" $LastPublicIP "and new IP is" $CurrentPublicIP ". Updating VPN settings via API!"
        $LastPublicIP = $CurrentPublicIP
        $Peers = ConvertFrom-Json -InputObject (Invoke-WebRequest -Method Get -Uri $url -Headers $header) 
        $Peers.peers | ForEach-Object {
            if($_.name -eq "###") {
                $_.publicIp = $CurrentPublicIP
            }
        }
  
        $resposne = Invoke-RestMethod -Method Put -Uri $url -Body (ConvertTo-Json -InputObject $Peers -Depth 5) -Headers $header
    }

    Start-Sleep -Seconds 5 ### Update to your desired loop time
} While($true)

 

 

You could actually compare the publicIp property from a GET and only do the PUT if it changes, but I did not want to do endless API GET calls due to Meraki rate limiting, lag, etc, so I just use a public IP service.

 

Enjoy folks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.