Multiple VPN tunnels into a VPN Concentrator

SOLVED
AshMead
Getting noticed

Multiple VPN tunnels into a VPN Concentrator

We have a one armed VPN Concentrator in a data centre. Is it possible to configure multiple VPN tunnels from the branch sites into the VPN Concentrator in the data centre?

 

Using an MX84.

 

The goal is to have a separate VPN tunnel for the corporate traffic and one for guest traffic. There is no Internet breakout at the branches so all traffic needs to traverse the MPLS to break out at the data centre.

 

Thanks in advance 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

I would attack this differently.  If all guest traffic is via the MR's then change your WiFi SSID to use tunneling.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin... 

 

This causes the MR to tunnel the SSID via AutoVPN back to an MX.  This will give you your seperate tunnels.

View solution in original post

7 REPLIES 7
cmr
Kind of a big deal
Kind of a big deal

@AshMead if you want two separate tunnels from each remote site to the concentrator in the DC then you will need two MXs in each site and have them in two separate networks.  The alternatives to this, so that you only need one MX per remote site, are sending multiple VLANs over one tunnel or setting the public SSID at each site to use the central concentrator as the termination point.

AshMead
Getting noticed

Thanks cmr. 

 

To clarify we only have a single MX84 in the data centre. The branch sites only have MRs.

 

Currently we are using a separate MX64 to tunnel the guest traffic. 

 

Can we have both corporate and guest tunnelled to the MX84 but on different VLANs?

cmr
Kind of a big deal
Kind of a big deal

Yes, use the mx64s at remote sites to tunnel and either send over multiple VLANs (enable VLANs on the MXs), or once the tunnel, which if the MXs are in single LAN mode will now be for corporate, is up, change the public SSID to use the mx84 as a concentrator
 
AshMead
Getting noticed

Thanks, can you recommend a webinar or document which provides details on these options? 

PhilipDAth
Kind of a big deal
Kind of a big deal

I would attack this differently.  If all guest traffic is via the MR's then change your WiFi SSID to use tunneling.

https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/SSID_Tunneling_and_Layer_3_Roamin... 

 

This causes the MR to tunnel the SSID via AutoVPN back to an MX.  This will give you your seperate tunnels.


Since your goal is to have a separate VPN tunnel for the corporate traffic and one for guest traffic so you can do this with PureVPNs Business and normal user account, I am suggesting it to you because I also use it for my Company and it works great for me. However if you wanna try you can have it today or tomorrow as they are having a great discount this cyber monday with 88% off.

Would the SSIDs need to be on different VLANs to ensure separation when the traffic hits the MX84?

 

The Existing SSID is using the default VLAN 0. 

 

 

 

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels