Hub/Spoke and Non-Meraki VPN Peers

EvanM
Conversationalist

Hub/Spoke and Non-Meraki VPN Peers

I have an existing AutoVPN configuration that consists of 2 hubs (Hub1/Hub2) and about 30 spokes (Spoke1-30). The spokes do not default route through a hub (split tunnel)

 

I am now introducing a Non-Meraki VPN peer (NonP1). I will need NonP1 to act like a Hub in that Spokes1-30 need to communicate to NonP1.

 

I have successfully established a tunnel between Hub1 and NonP1. On the NonP1 side, the tunnel is terminated to WAN1 IP on Hub1 and the remote networks in the tunnel config matches the subnet behind Hub1. In the site-to-site VPN config I let the "Availability" as "All networks". I can pass traffic back/forth between Hub1 and NonP1 successfully.

 

Is there a way I can have Spokes1-30 communicate through Hub1 tunnel to NonP1 without having to default route all of the spokes through Hub1? Or, am I going to have to add Spoke1-30 as peers (using their WAN IP address) on NonP1 side?

4 REPLIES 4
Roger_Beurskens
Building a reputation

Your non-meraki VPN Peer is only available on the HUB it's connected to and won't get distributed furter into the auto-vpn setup.
This is "by design"

I've got the same "problem" with a 3-Hub-100Spoke engiroment we're setting up now.
I also would really like to be able to import the remote non meraki vpn subnet what's connectoed to 1 hub into the autovpn

There is a solution design for this 

check this link: https://www.willette.works/merging-meraki-vpns/

 

 

 

 


@Roger_Beurskens wrote:
Your non-meraki VPN Peer is only available on the HUB it's connected to and won't get distributed furter into the auto-vpn setup. chat
This is "by design"

I've got the same "problem" with a 3-Hub-100Spoke engiroment we're setting up now. ome
I also would really like to be able to import the remote non meraki vpn subnet what's connectoed to 1 hub into the autovpn

Do the changes show up under "Organization > Change Log"? Also have you tried logging into the dashboard with an incognito window or another browser to see if it is something weird with your session? thanks for the information.

EvanM
Conversationalist

Ultimately, the answer to my question is "not possible" without extra hardware as non-Meraki VPN routes are not advertised through AutoVPN.  Would be nice if Meraki allowed a customer to choose for themselves on this one and allow for selective advertising of non-Meraki VPN routers.  They could build in a check to prohibit this advertisement if there was a subnet overlap.

 

The solution design linked does work, although I am not using Meraki to accomplish it, and rather another firewall.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels