Meraki

Community

Help to understand Site-to-Site VPN configuration

Solved
Mad_Dog_82
Here to help
‎Mar 23 2024 6:14 PM
‎Mar 23 2024 6:14 PM

Help to understand Site-to-Site VPN configuration

Hi All,

 

A company has two sites, a head office and a branch office.

Both offices have MX65 Meraki and Site-to-Site VPN configured as shown on the screenshots.

 

HO:

 

HO.jpg

BO:

 

BO.jpg

 

The VPN configuration on both devices makes absolutely no sense for me but nevertheless I can ping BO devices from the HO and vice versa.

Also, the real public IP address (which I replaced with 14.14.14.14) doesn't belong neither to the HO nor the BO and specified on both Meraki devices.

 

Please advise how it is possible.

Labels:
0 Kudos
1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal
‎Mar 23 2024 9:38 PM
‎Mar 23 2024 9:38 PM

The first part is the meraki autovpn. A hub connects a hub so your mx will form the vpn tunnels automatically

 

The last part is for non meraki vpn tunnels. So both mx build a tunnel to (most likely) a non meraki device.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

View solution in original post

4 Replies 4
ww
Kind of a big deal
Kind of a big deal
‎Mar 23 2024 9:38 PM
‎Mar 23 2024 9:38 PM

The first part is the meraki autovpn. A hub connects a hub so your mx will form the vpn tunnels automatically

 

The last part is for non meraki vpn tunnels. So both mx build a tunnel to (most likely) a non meraki device.

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

In response to ww
Mad_Dog_82
Here to help
‎Mar 23 2024 10:07 PM
‎Mar 23 2024 10:07 PM

Hi @ww 

I've just check another Meraki router for another organization and the setup became a bit clearer.

(Still not clear though where both routers are connected to.)

Another question is if a Meraki router can establish VPN if it is behind NAT?

 

Screenshot 2024-03-24 062612.png

 

 

0 Kudos
In response to Mad_Dog_82
cmr
Kind of a big deal
Kind of a big deal
‎Mar 24 2024 1:45 AM
‎Mar 24 2024 1:45 AM

Yes, most NATed networks don't cause an issue, even CGNAT from mobile networks often work.  It can however affect the ability for client VPN users to connect to the MX.  If the particular NAT the MX is behind is causing problems, an alert saying unfriendly NAT will appear in the dashboard.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Mar 24 2024 2:10 PM
‎Mar 24 2024 2:10 PM

AutoVPN works as follows.
Each autovpn peer will try to reach two Meraki VPN registries.
It announches it's own WAN IP and port it is using inside fields in packets going upstream
So when a NAT exists between the MX and the registry the packet L3 and L4 header will be altered by having the public IP and port.  So the VPN registry knows what the private WAN IP and port is AND the public side.  This data gets forwarded to all the peers so they can attempt to form their VPN tunnels directly by using hole punching through the NAT.

This can of course fail if there is an upstream router/firewall only allowing specific ports outbound.  In that case you have to manually select an UDP port and fill in your public IP.  That way all peers will attempt connection through that IP and port.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.