Is 2 MX84's directly connected using a VPN possible?

Alno
Just browsing

Is 2 MX84's directly connected using a VPN possible?

Hi,

 

I have two buildings directly connected by fibre but would like to VPN this connection. They each separately have their own internet connection, and I don't want to use the MX84 to be the main internet connection. I currently achieve this with two Cisco ASA 5520's but would like to replace them.

 

Is it possible to use 2x MX84's to do this? I was thinking that the WAN1 port from each device could have an internet connection for the Meraki Cloud and the two WAN2 ports could connect directly together for the VPN traffic.

 

If this won't work (and I'm thinking it won't as the two WAN2 ports are directly connected do not themselves have a connection to meraki cloud to establish the connection) then if the two WAN connections connect directly to a switch (which has a connection to the internet) will it establish the VPN connection and send traffic directly to each other?

 

Any help or suggestions would be greatly appreciated.

 

Many thanks,

Al.

 

 

 

 

4 REPLIES 4
Chris_M
Getting noticed

You most likely don't even need VPN in this case. You can use a LAN port and use static routing for their respective networks.


Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator

Hi Chris, Thanks for replying. The fibre although private is about 7km long and patches through several buildings and another companies comms cabinets on the way (It's a railway environment). I'm probably being over cautious but would like to VPN if possible. Do you think this scenario could work? Cheers.
Chris_M
Getting noticed

I understand what you mean. You want an encrypted tunnel on your private network. VPN only works on the WAN port and I do not know if what you want will work within Meraki only.

The best I can suggest this: https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Appli...

It will make a tunnel to each other and not connect directly to the cloud but I have not tested this nor able to try it in my environment.

You would configure the WAN port 2 to be a point to point private subnet and that would be your "public IP". You can share all the local subnet but not static routes, which may be a limitation for you.

I hope this workaround work for you, let us know how it goes.

Find my post helpful? Please give me a kudo!
CCNP Certified and Meraki Operator
PhilipDAth
Kind of a big deal
Kind of a big deal

I have a couple of thoughts.

 

It might be easier to build a non-Meraki VPN between the two devices.  This is like building a VPN between a Meraki and a non-Meraki device.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Appli...

 

When using AutoVPN over a private circuit the private circuit must be connected to the Internet.  If when the MX's go to build a VPN they find that they both share the same public IP address (because of NAT) they then assume they are on the same private network, and then will build the VPN between their private IP addresses.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Configuring_Site-to-site_VPN_over_MPLS

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels