cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX Auto VPN behind WAN aggregation (3xWAN link)

SOLVED
brad1028
Here to help

MX Auto VPN behind WAN aggregation (3xWAN link)

I have a site planning to bond, link, what ever you want to call it 3 WAN connections through peplink router.  I imagine Internet traffic will work fine, the peplink will do the aggregation and balancing, the MX will see it as a single gateway.  

 

When Auto VPN does its thing I imagine it will pick 1 WAN IP and all inbound traffic will come through that link, or even worse keep bouncing between the 3 IP's.  Outbound traffic will continue to balance between the 3 links, will the remote MX reject the VPN traffic because it has three different sources and not a singular peer IP.

 

Or does the magic behind auto vpn somehow handle this? 

1 ACCEPTED SOLUTION

Accepted Solutions
Bruce
Head in the Cloud

Re: MX Auto VPN behind WAN aggregation (3xWAN link)

I’m almost certain (cannot think why this isn’t going to be the case) that having the WAN IP change is going to break the security association, this would likely be the same for any vendor’s VPN as it’s going to expect to see traffic from the same IP address. You will either need to configure persistence (or enforcement) on the Peplink so that the VPN traffic always uses the same internet circuit for the VPN traffic.

View solution in original post

1 REPLY 1
Bruce
Head in the Cloud

Re: MX Auto VPN behind WAN aggregation (3xWAN link)

I’m almost certain (cannot think why this isn’t going to be the case) that having the WAN IP change is going to break the security association, this would likely be the same for any vendor’s VPN as it’s going to expect to see traffic from the same IP address. You will either need to configure persistence (or enforcement) on the Peplink so that the VPN traffic always uses the same internet circuit for the VPN traffic.

View solution in original post

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.