Solved
Good day everyone, this is my first time posting in the forums so I apologize if I miss any details.
I have a client office running HA MX250 to an AWS TGW.
Meraki side has 2 VLANs included in the VPN and 3 private subnets (each a VPC in AWS)
The AWS TGW route table has the following static routes. There is a 3rd VPN route included because I has removed one from the MX but have not update AWS TGW route table
The issue I am having is that from the MX side, only one of the two include VLANs can actually send traffic to the VPC resources. If I run a ping from the meraki dashboard using the L3 interfaces to ping a gateway of a subnet in AWS, only one succeeds at a time.
In the AWS site to site VPN config document that is downloaded from the VPN configuration page:
! AWS hosted VPN solution is a route-based solution, since Cisco Meraki only supports policy-based solution you will need to limit to a single SA. So please make sure to
! select "yes" for just one subnet, if you have more than one subnet, consolidate them into a single subnet before proceeding with the VPN configuration.
If I am understanding this correctly, I am not able to have more than 1 subnet included in the non-meraki peer VPN due to this SA limitation. I have been trying to google how the Security Associations are established and it seems like the limitation is from the phase 2 IKE negotiations, since Phase 1 happens between the public addresses.
Any confirmation or correction on my above understanding is greatly appreciated!
On the AWS side have you tried a "Transit Gateway" in place of the "Virtual Private Gateway" ?
My reading of Transit Gateways is that it acts like a router inside AWS to connect multiple VPCs together and provide
a single "public" interface. They do cost money though, slightly more than the VPN (in my region), so would be about double your current cost as you still need to pay for the VPN.
Though may not get around the 1 subnet limit on the Meraki side unless all VPCs in the Transit Gateway map into a single CIDR.
