Meraki MX250 to Palo alto

JED2021
Getting noticed

Meraki MX250 to Palo alto

 

I wish to create a tunnel form my office ( Meraki). to a small warehouse (Palo Alto Networks)

 

I believe I may need IKE V2 since I wish to communicate to multiple subnets/ SA/encryption domain

 

 

172.17.12.0/23, 172.16.2.0/24. --- MERAKI.      <-> PAN 172.16.101.0/24 172.16.104.0/24

 

In I needed to I could  always supernet 172.16.96.0 /20.

 

Does a PAN to Meraki how to exist?  I have wan 1 and wan 2 on my meraki which may mean 2 tunnels initiated from the pan

 

Thank you

3 Replies 3
GIdenJoe
Kind of a big deal
Kind of a big deal

Meraki VPN towards other vendors always support only 1 simultaneous tunnel.  So 1 WAN interface can be used at a time.  In event of failure of primary WAN it will negotiate over the second WAN but then you need the other side (your Palo Alto) to also have config for the other WAN IP.

 

Another important bit is that in IKEv2 you only have 3 SA's in total (1 IKE SA bidirectional and 2 direction SA's containing all local and remote traffic selectors).  The firewall on the other side has to support this else you will only be able to support one network to one network.

MGregC
Conversationalist

I've done this with no issues.

 

Set up the "Non-Meraki VPN peers" on the Meraki. Use the paramters you need. Enable the Meraki subnets you want in the tunnel and save. Then go to the Palo, create an IKE profile that matches the choices from the Meraki. Do the same for IPSec profile. Create an IKE Gateway on the Palo using the same autheneticated method, we used PSK.

 

Create the IPSec Tunnel and use Proxy IDs to match up subnet on the Meraki to a subnet on the Palo. Just like configuring an ASA, these have to match the Palo and the Meraki.

 

Then put in routes in the Palo router for the traffic. 

 

Finally create Security Policies to allow the tunnel to be created (outside interface to outside interface) and then a policies for the traffic to pass.

 

Pay attention to the IKE, IPSec, PSK, subnets and Proxy IDs and you should have no trouble.

Inderdeep
Kind of a big deal
Kind of a big deal

Check if it helps
https://community.spiceworks.com/topic/2256951-cisco-meraki-mx64-site-to-site-vpn-internet 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
Get notified when there are additional replies to this discussion.