We have a branch site that is currently set up as a spoke with a default route to our hub main site, as that spoke site needs to send certain traffic to external/public IP addresses which are only accessible via a physical WAN connection at our hub site. Ideally however, we would like to have a split tunnel, whereby traffic to the hub subnets advertised over the Auto-VPN, as well as specific external IP address ranges are sent over the VPN, and all other traffic is sent out to the internet via the spoke site's own WAN link. The aim being to reduce load on the hub site and increase speed at the spoke site when accessing IP ranges that do not require the hub site's WAN connection, whereas currently it is either all or no traffic that can be sent over the VPN.
We had resigned ourselves to this fact, however I stumbled across the following (https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/MR_Teleworker_VPN), and it seems that this functionality is available on the MR devices, whereby you can specify the IP ranges & ports to send over the tunnel, with other traffic exiting from the local WAN link. However, it doesn't seem this is possible on the MX/Z series devices?
Could someone please confirm if this is the case or if there is any way to achieve what I state above? It does seem somewhat odd that this can be implemented on an access point, but not on a full security appliance.
Would this be configured with a static route under Addressing & VLANs? And for a static route to a public IP range, does it matter which subnet Gateway IP it uses?
Also, do you happen to know if traffic that matches those routes and is sent over the VPN from spoke to hub will still conform to the hub site traffic shaping rules, it must use Uplink 2 in our scenario.
I think if you raise a support ticket they can configure the full tunnel "exceptions" on the MX.
Otherwise you need an additional MX (in a separate network) at your HQ. You configure one MX in normal routed mode (not configured for AutoVPN), and the second MX as an AutoVPN concentrator (running on a single interface).
Then on the AutoVPN concentrator add static routes pointing to the other MX, and then select the option to redistribute these into AutoVPN.