Hosting A site-to-site VPN

trunolimit
Building a reputation

Hosting A site-to-site VPN

I need some clarification on some site-to-site VPN stuff.

 

When setting up a site-to-site VPN with a non meraki partner, Does meraki not have the capability to serve up the authentication process? 

 

For example if I want the remote site to use the username DogsAreCool and the preshared key 12345678,

 

who authenticates that? Just by me entering that into the fields on the non meraki vpn page, is meraki now looking for that on all incoming attempts to form a non-meraki-vpn?

 

Hopefully I've been able to properly illustrate my question.

 

a bit of context to this question: our client asked why are we connecting the MX to the remote office instead of the remote office connecting to the MX. 

 

from my understanding the answer is because meraki can't act as a host to other non-meraki VPNs, but we can connect TO non-meraki-VPNs. <<---is this a correct statement? 

5 REPLIES 5
KarstenI
Kind of a big deal
Kind of a big deal

You are really talking about site-to-site? Then there is no user, host, or client, but only peers. In a standard IPsec-setup, both peers have to know each other and also know how to authenticate the other side. On the MX we only have Pre-Shared-Keys and no usernames, but the PSK is mapped to a specific remote peer-IP. And the authentication is always done mutually.

This VPN can be established from both sides. Both from the MX- or from the other side. On other VPN-Gateways there is often the option to specify that the device should only initiate the connection or respond to the other side, but this is an extra config.

 

Can you explain in more detail what you mean with "connecting the MX to remote instead ..."?

trunolimit
Building a reputation

Site to site VPN non meraki peers use remote and local IDs. Aren’t these the equivalent of usernames? 

Can you explain in more detail what you mean with "connecting the MX to remote instead ..."?

 

sure. The subject came up when I asked the remote office to provide me with all the details. But reading your explanation I realize that I just don’t understand site to site VPN and I should provide the remote site with the information on my side.

>Site to site VPN non meraki peers use remote and local IDs. Aren’t these the equivalent of usernames?

 

No.  You don't usually fill in these fields when you have static IP addresses.  They are only needed when the party connecting in has a dynamic IP address.

trunolimit
Building a reputation

well what if we have a dynamic DNS but they have a static IP? 

KarstenI
Kind of a big deal
Kind of a big deal

It all depends on the configuration. If the other side expects that your ID is your public IP, then you typically leave this field blank (that is most of the time the default). If your MX is behind a NAT-device, you often have to enter your public IP as your local ID as this is what your peer "sees" from your end.

And with authentication done with PSKs, the IDs are nearly always the public IPs. This is based on how IKE is communicating with the peer.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels