How can I make this site to site VPN work?

IT_Magician
Getting noticed

How can I make this site to site VPN work?

Hey Meraki Community,

 

How can I route traffic from a private subnet across a non-Meraki VPN out the WAN on our MX84?

 

We have a handful of websites that compliance only allows our WAN IPs to access. We added a site to site VPN tunnel witih a non-Meraki peer which is up and working. The goal is the remote subnet attempts to access specific websites, the remote non-Meraki VPN peer routes that out the WAN on the MX so it has the allowed public IP.

 

Is this possible?

5 REPLIES 5
IT_Magician
Getting noticed

I am reading through more documentation now to see if I can find something on this

GIdenJoe
Kind of a big deal

Hmm, the configuration of IPsec VPN peers does not have the ability to insert 0.0.0.0/0 as local network so the other side will not be able to use 0.0.0.0/0 as remote network so I fear that setup is not supported.

 

You could only fix it by putting an MX/Z appliance at that remote site and use full tunnel.

IT_Magician
Getting noticed

Ok so we have the tunnel up and here is what is happening:

 

On Non Meraki VPN side:

- Client can ping our MX and receive response back without issue

- Client then attempts to access www.website.com but doesn't get a response back

 

Any idea why Meraki is not routing the traffic back across the VPN tunnel?

KarstenI
Kind of a big deal

Integration of external S2S into MX routing is - let’s say - limited ...

What about placing a proxy server into your HQ DMZ and use that to access the external websites? 

Yeah I am starting to realize that. Meraki support doesn't think there is an option. The Juniper engineer on the phone was not impressed, couldn't believe Meraki can't route S2S traffic to WAN from anything but a Meraki. They are escalating this to product team to make sure nothing is missed here.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels