Meraki

Community

How do I rout my Meraki site to site auto VPN to non-meraki ipsec.

BMachola
New here
‎Apr 24 2025 2:18 AM
‎Apr 24 2025 2:18 AM

How do I rout my Meraki site to site auto VPN to non-meraki ipsec.

We have created a meraki site to site VPN between our hub and spokes and then created a non-meraki ipsec from our hub and we cannot reach the non-meraki from the spokes, we can only reach it from the hub

0 Kudos
5 Replies 5
rwiesmann
Head in the Cloud
‎Apr 24 2025 2:23 AM
‎Apr 24 2025 2:23 AM

I think it is still not possible.

Check out this documentation

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

 

The following part:

An MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers will not route traffic between other Auto VPN peers and the non-Meraki VPN peers unless BGP routing over IPsec VPN is enabled for the latter.

 

0 Kudos
jimmyt234
Head in the Cloud
‎Apr 24 2025 3:00 AM
‎Apr 24 2025 3:00 AM

Either NMVPN from every network to the 3rd party, or install a second MX into HQ, have the NMVPN from there and then static route to it from the main HQ MX.

0 Kudos
KarstenI
Kind of a big deal
Kind of a big deal
‎Apr 24 2025 3:58 AM
‎Apr 24 2025 3:58 AM

If you can/want to use a very new Firmware (v19) and your peer supports it, you can configure your extranet VPN with BGP, and this setup supports routing into your AutoVPN:

https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN

(as already mentioned by @rwiesmann).

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
ChrisJ2
Meraki Employee
Meraki Employee
‎Apr 24 2025 4:02 AM
‎Apr 24 2025 4:02 AM

Hi!

You should be able to form an eBGP peering over IPsec with the Hub, with the following pre-requisites:

  • IKEv2 setting

  • MX 19.1.4 or newer release

  • MX platforms that support MX 19.1 firmware and above

  • BGP - TCP port 179 permitted on your VPN firewall

  • BGP enabled

  • BGB Multi-hop enabled on BGP neighbor

If you chose the Hub network to configure, according to:

https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN#Configuring_eBGP_ove...

 

Routes should then be propagated to the spoke sites.

 

 

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
thomasthomsen
Kind of a big deal
‎Apr 30 2025 3:30 AM
‎Apr 30 2025 3:30 AM

What I normally do for all 3rd. party VPN (because so many "features" are missing on the MX for this), is use another firewall, like a good old ASA, for the 3rd party VPN.

Then I create a small route net between the HUB MX and the ASA and create a static route on the HUB MX for the VPN networks.

The static route can be distributed into AutoVPN.

 

Of course, now it might now also be possible with the new MX19 software and eBGP over IPSEC.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.