Meraki

Hetes · ‎Jun 14 2021

I am using MX250 HA pair to connect WAN1 interface to Internet and the other WAN2 interface to another private network - this private network also provides Internet connection via its boundary FWs.

My default primary route and link will be WAN2 Private network as it provides connection to other sites/organisation sharing this private network, and also provide Internet connection.

WAN1 configured as secondary link but it will be used purely to configure S2S VPN to other remote sites where we have broadband connection only, I will be using flow preference to route traffic to those remote sites via WAN1.

When I configure S2S VPN from WAN1 - I do not want to create same VPN (as failover) via WAN2 as WAN2 interface is connecting to a private network and has private IP address- it will not work. My understanding is in this case, I need to disable AutoVPN.

Once I disabled AutoVPN, is it possible for me to configure S2S VPN from WAN1 link as it is not the primary WAN connection? As I mentioned earlier I will be using flow preference to route traffic via WAN1 for remote sites.

Bruce · ‎Jun 14 2021

There’s actually a couple of ways you can do this, and it’s probably easier if you don’t need a VPN over your private network.

You can either connect your private network to WAN2 and make this the primary WAN link (since you say it has an internet connection), and then get support to enable no-NAT capabilities on the network (assuming you want to preserve client IP addresses). Or you can just create a VLAN and use the LAN-side and add some static routes to the MX and connect to the private network that way.

If you’re able to do either of the above then you can still run AutoVPN to connect to the sites where you only have broadband (assuming they have Meraki MX devices). You can set the SD-WAN preferences to prefer WAN1. And if you were connecting to your private network via WAN2, theN it’s likely You could still failover to WAN2 for these connections too, so long as there is a NAT on the internet connection via WAN2, this should still allow a second path to the broadband connected sites.

If you want to encrypt traffic over the private network and you have MX devices at all the sites then you can run AutoVPN over that too, then you just need to correctly define your flow preferences, either WAN1 or WAN2 to get the path selection right. So long as there is an internet connection from the private network that provides a NAT then this should all work fine. You’ll just need to make sure you understand the paths and get the SD-WAN path rules correct for your preferred paths.

GreenMan · ‎Jun 14 2021

One other thing I noticed; when you said WAN2 will connect to a private network and will have a private IP address and (therefore?) will not work - that isn't necessarily true. Provided the MX on the other side of your private network can communicate with the Internet / the Meraki Dashboard across the WAN, then it probably will successfully form a VPN tunnel, and will do so between the private IP addresses assigned to the two MXs. This is one of the key principles behind Meraki SD-WAN; provided MXs can communicate with the VPN registry in Dashboard and with each other, using IP, the solution doesn't much care what kind of network it's running over.

PhilipDAth · ‎Jun 15 2021

This would be painfull.

Have a look at ipsec tag-based failover and see if that suits your needs.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover

Personally, I would avoid this configuration. I would try and resolve this by putting in more MXs and using AutoVPN. Even if you need to put an MX in at a partner site (in VPN concentrator mode - like a WAN router), because at least then you can use simple static routes between it and the partner.

Meraki

Community

MX250 HA Pair: Need to configure S2S VPN to both WAN interface but from different sites

MX250 HA Pair: Need to configure S2S VPN to both WAN interface but from different sites