Multiple IP Sec SIte to SIte VPN on a Single Dashboard

Solved
mumer1
Comes here often

Multiple IP Sec SIte to SIte VPN on a Single Dashboard

Dear Guys.

I am working on below given Network Topology. There are two different sites (Site B & Site C) and those sites need to be connected with 3rd site (Site A) via Site to Site VPN tunnel. Site B & Site C has Meraki MX95 and Site A has Paloalto.

 

All the Meraki products of Site B&C are added on a Single dashboard along with the licenses.

 

Site B is connected with Site A via IPsec VPN tunnel and all the Networks on remote sites are accessible.

 

The issue arises when we create the 2nd tunnel for Site C & Paloalto.

  1. It gives the warning message that Private subnets are already been defined in 1st tunnel. If the warning message is accepted than the 1st tunnel also goes down.
  2. Unable to create 2nd tunnel from site C to Paloalto.

 

Kindly guide how can the Site C tunnel be created.Network Topology Updated.png

 

1 Accepted Solution
ww
Kind of a big deal
Kind of a big deal

You only need 1 ipsec tunnel config on the meraki dashboard. The config is global so all your mx devices will try create the tunnel to site A

 

Availability - Determines which MXes in the organization will be communicating with this peer. By default, all devices in an organization will establish tunnels with a third-party peer, however network tags can be used to limit these connections to a few networks.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

Can you show the message error and the configuration?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
mumer1
Comes here often

Warning Msg.PNG

alemabrahao
Kind of a big deal
Kind of a big deal

You cannot configure more than one tunnel with the same private subnets.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

But you can create just one tunnel for all networks.

 

alemabrahao_0-1690303002733.png

 

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
DarrenOC
Kind of a big deal
Kind of a big deal

You've probably done this already but in the interim could you not create a S2S VPN between sites B and C using Meraki AutoVPN?  This way Site A can reach both sites.

 

What subnets are at Sites B and C?

 

Where is the error being generated, on the Palo?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
mumer1
Comes here often

I don't need to create the S2S VPN between Site B & Site C. Both these sites should only need to create VPN with SIte A.

ww
Kind of a big deal
Kind of a big deal

You only need 1 ipsec tunnel config on the meraki dashboard. The config is global so all your mx devices will try create the tunnel to site A

 

Availability - Determines which MXes in the organization will be communicating with this peer. By default, all devices in an organization will establish tunnels with a third-party peer, however network tags can be used to limit these connections to a few networks.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site-to-site_VPN_between_MX_Applian...

mumer1
Comes here often

Thank you for the guidance.

If the case is that Meraki is creating the global tunnel for all the devices, than how will Paloalto come to know that from which interface it can access Site C networks?

We need to perform routing on Paloalto that if need to access Site C networks your next hope shall be Site B Hostname/IP which is already the working tunnel?

 

Is this the way you are trying to guide?

alemabrahao
Kind of a big deal
Kind of a big deal

I sent you an example.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
mumer1
Comes here often

Thank you for your guidance. I used the Tags in Availability tab and created the second tunnel. Both are working now.

 

Thank you for the solution.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels