Meraki

robdean-pgi

I have a standard Meraki Multi-Hub and Spoke Site-to-Site configuration between all of our sites but one. That site we are using a traditional IPSEC tunnel to connect to it. From the main Hub I am able to connect over the IPSEC tunnel, but from any of the other sites I am unable to reach the remote site. The route shows up in route tables on all sites.

Is this a limit to with the auto S2S? Do I need to configured a S2S IPSEC tunnel on all Hubs?

any help would be greatly appreciated

thanks

alemabrahao

Yes, it is a limitation; a non-Meraki VPN tunnel does not participate in AutoVPN.

You would need to have a VPN tunnel with each network or use a dedicated machine to establish this tunnel and route through AutoVPN, for example, a Linux machine running Strongswan.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ww

In addition to above.

In 19.x it should be possible when you are able to run bgp. https://documentation.meraki.com/MX/Site-to-site_VPN/BGP_routing_over_IPsec_VPN

robdean-pgi

BGP isnt something we have configured currently, How difficult is it to implement? Would it be worth migrating the remote network over to our Organization as it is another MX just not in the same Org.

RWelch

IMO - life would be a lot easier if you are able to migrate the remote network over to your organization and leverage the AutoVPN functionality (unless there is some compelling reason to not have it as part of your organization).

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

robdean-pgi

There was at the time but that isnt the case anymore, Is that process just a matter of Unclaiming the MX and then Claiming it in the new network?

If so how long does that take a work thru the systems. Is there a guide out there on this somewhere?

This remote site is out of the country and has limited on site support so taking it completely offline is a little sensitive.

RWelch

Creating and Deleting Dashboard Networks

If it were my project, I'd create a new network in your organization and then select "change organization" from wherever the external network resides and place it within your newly created network within your organization (as well as any other Meraki devices - MS, MR, MG, MV and MT as well).

I would do this in a maintenance window so as to not interrupt business operations and you'd likely need to configure it after placed into the newly created network - but in the end, your network will have less headaches being able to leverage S2S AutoVPN (long term wise) vs NMVPN.

Others might chime in to add their thoughts.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.

rhbirkelund

If migrating the site to Meraki, in order to leverage AutoVPN isn't an option, you could use an MX as a termination point of the Non-Meraki VPN, and route that, statically or dynamically, into the rest of your Meraki topology. It would require you to buy another MX and create a "Gateway" network, which function as the entry point between AutoVPN and Non-Meraki VPN.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Meraki

Community

Meraki Hub and Spoke S2S connections with a NON-Meraki IPSEC tunnel

Meraki Hub and Spoke S2S connections with a NON-Meraki IPSEC tunnel