Meraki

Gnana

Dear all,

We need to enable two IPSEC VPNs (different non-Meraki Peers) in many of the branch sites. One VPN is towards hosts in Azure, which is used by industrial applications. The other tunnel is built with Zscaler Internet access peer, which will be used for Guest wifi. For the ZIA VPN, the destination private subnet is 0.0.0.0. There is no option to specify a unique destination private subnet as confirmed by Zscaler. In this scenario, how can we ensure traffic destined for one VPN doesn't gets allowed in another VPN? Is it possible to specify which network subnets can participate in which VPN? Below is the screenshot of the VPN config.

Thanks for your time.

Gnana.

alemabrahao

The non-Meraki VPN communicates with the peers you define in availability/network, as it is not routed within the SD-WAN.

Meraki non-Meraki VPN peers behave differently from Auto VPN, primarily due to the lack of a centralized Meraki registry and failover support. Meraki MX devices connect to non-Meraki peers via IPsec, but they will not automatically route traffic between different non-Meraki peers or between non-Meraki peers and Auto VPN peers.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Gnana

Thank you @alemabrahao

Mloraditch

The problem here is you can not differentiate between what subnets access AutoVPN vs Third Party VPN.

In theory both tunnels would work if the same things needed access to both, because the most specific route would be chosen, but if the ZScaler tunnel is only for your guest traffic, there is no way to route just guest out that VPN and have other subnets use AutoVPN and/or the Azure VPN. Every subnet enabled for VPN will at least on the Meraki side negotiate over all 3rd party VPNs.

You are going to need to gateway your guest traffic to another firewall that can do the Zscaler VPN in this scenario.

Semi-related if the Azure environment is yours or if the Vendor is amenable, you may want to look into standing up a vMX. It can be cheaper than using Azure's native VPN, and it definitely can be easier to manage as Azure just becomes another AutoVPN spoke. It would not help with your problem, but just a thought.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Gnana

Hi @Mloraditch Thank you so much for the response.

Can we atleast block the traffic destined for one VPN from going into another using S2S VPN Firewall feature? My filtering logic as below.

Source (Subnets accessing Azure application)- Destination (Azure hosts)- Permit Source (Subnets accessing Azure application)- Destination (any)- Deny

Source (Guest VPN subnet)-Destination (Azure hosts)- Deny

Source (Guest VPN subnet)-Destination (Any)- Permit

Basically i put more specific traffic higher in the rule order and more generic traffic lower. I am hoping this will block the unwanted traffic at the source, before it enters the tunnel. Will this arrangement work?

Mloraditch

If your guest subnet must be included in VPN you can block it from accessing the Azure VPN that way.

That will not help with the Zscaler tunnel issue. If you have that tunnel, then all traffic will egress that way. Adding firewall rules will not affect the routing table.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

Meraki

Community

Isloating traffic between two IPSEC VPNs (Non-Meraki Peers)

Isloating traffic between two IPSEC VPNs (Non-Meraki Peers)