Non-Meraki IPSec peer between 2 MXes in the same org

svenus1977
Just browsing

Non-Meraki IPSec peer between 2 MXes in the same org

Hello experts,

 

 Can I establish IPSec peer between 2 MXes within the the same org, rather than going onto Auto VPN?  

 

 I was having issue that Auto VPN breaks the port forwarding config:

 https://community.meraki.com/t5/Security-SD-WAN/Port-forwarding-not-working-on-MX67/m-p/190775

 

 But eventually, I need to keep the IPSec tunnel going when the other site (currently an old Cisco router, setup as a non-meraki peer between the MX) migrates to the MX.  Since I can't use Auto VPN, I wonder if the non-Meraki IPSec peer works for 2 MXes in the same organization.  

 

  Thanks.

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal

Yes you can, but you will lose the benefits of auto VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Just a note, if they are in the same organization both cannot be HUBs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

The more I think about this - probably no.

 

To configure a non-Meraki VPN you first have to enable AutoVPN.  As soon as two sites have AutoVPN enabled, they will talk to each other via AutoVPN.

 

So I am going to say no.

svenus1977
Just browsing

Thanks @alemabrahao @PhilipDAth for the replies. 

 

I think I can get this working and would give it a try:

- I have the 2 sites that definitely will be spoke, so should be fine.

- I have multiple VLANs.  I just need one VLAN to be disabled with AutoVPN, but then use non-Meraki IPsec peer to reach the same "disabled AutoVPN VLAN" on the other site.  I have another VLAN that goes back to the AutoVPN that can reach to Hubs. 

 

The reason for this complicated design is due to the another issue I posted on the other thread, which AutoVPN enabled VLAN breaks port forwarding. Even I am using split tunnel, I can never get port forwarding to work.  And the port forwarding requirement is something I cannot ignore. 

Replying to myself.  Turning off the VLAN for Auto VPN does not work in my case. As turning off Auto VPN automatically breaks the IPSec tunnel. 

 

I have opened a case to investigate the issues. 

Get notified when there are additional replies to this discussion.