Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX250 HA Pair: Need to configure S2S VPN to both WAN interface but from different sites

Hetes
Conversationalist
‎Jun 14 2021 2:42 AM
‎Jun 14 2021 2:42 AM

MX250 HA Pair: Need to configure S2S VPN to both WAN interface but from different sites

I am using MX250 HA pair to connect WAN1 interface to Internet and the other WAN2 interface to another private network - this private network also provides Internet connection via its boundary FWs.

My default primary route and link will be WAN2 Private network as it provides connection to other sites/organisation sharing this private network, and also provide Internet connection.

 

WAN1 configured as secondary link but it will be used purely to configure S2S VPN to other remote sites where we have broadband connection only, I will be using flow preference to route traffic to those remote sites via WAN1.

 

When I configure S2S VPN from WAN1 - I do not want to create same VPN (as failover) via WAN2 as WAN2 interface is connecting to a private network and has private IP address- it will not work. My understanding is in this case, I need to disable AutoVPN.

 

Once I disabled AutoVPN, is it possible for me to configure S2S VPN from WAN1 link as it is not the primary WAN connection? As I mentioned earlier I will be using flow preference to route traffic via WAN1 for remote sites.

 

 

0 Kudos
Subscribe
3 Replies 3
Bruce
Kind of a big deal
‎Jun 14 2021 5:50 AM
‎Jun 14 2021 5:50 AM

There’s actually a couple of ways you can do this, and it’s probably easier if you don’t need a VPN over your private network.

 

You can either connect your private network to WAN2 and make this the primary WAN link (since you say it has an internet connection), and then get support to enable no-NAT capabilities on the network (assuming you want to preserve client IP addresses). Or you can just create a VLAN and use the LAN-side and add some static routes to the MX and connect to the private network that way.

 

If you’re able to do either of the above then you can still run AutoVPN to connect to the sites where you only have broadband (assuming they have Meraki MX devices). You can set the SD-WAN preferences to prefer WAN1. And if you were connecting to your private network via WAN2, theN it’s likely You could still failover to WAN2 for these connections too, so long as there is a NAT on the internet connection via WAN2, this should still allow a second path to the broadband connected sites.

 

If you want to encrypt traffic over the private network and you have MX devices at all the sites then you can run AutoVPN over that too, then you just need to correctly define your flow preferences, either WAN1 or WAN2 to get the path selection right. So long as there is an internet connection from  the private network that provides a NAT then this should all work fine. You’ll just need to make sure you understand the paths and get the SD-WAN path rules correct for your preferred paths.

Subscribe
GreenMan
Meraki Employee
Meraki Employee
‎Jun 14 2021 10:01 AM
‎Jun 14 2021 10:01 AM

One other thing I noticed;   when you said WAN2 will connect to a private network and will have a private IP address and (therefore?) will not work - that isn't necessarily true.   Provided the MX on the other side of your private network can communicate with the Internet / the Meraki Dashboard across the WAN, then it probably will successfully form a VPN tunnel, and will do so between the private IP addresses assigned to the two MXs.  This is one of the key principles behind Meraki SD-WAN;  provided MXs can communicate with the VPN registry in Dashboard and with each other, using IP, the solution doesn't much care what kind of network it's running over.

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jun 15 2021 2:26 PM
‎Jun 15 2021 2:26 PM

This would be painfull.

 

Have a look at ipsec tag-based failover and see if that suits your needs.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

 

Personally, I would avoid this configuration.  I would try and resolve this by putting in more MXs and using AutoVPN.  Even if you need to put an MX in at a partner site (in VPN concentrator mode - like a WAN router), because at least then you can use simple static routes between it and the partner.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.