Hello experts,
Can I establish IPSec peer between 2 MXes within the the same org, rather than going onto Auto VPN?
I was having issue that Auto VPN breaks the port forwarding config:
https://community.meraki.com/t5/Security-SD-WAN/Port-forwarding-not-working-on-MX67/m-p/190775
But eventually, I need to keep the IPSec tunnel going when the other site (currently an old Cisco router, setup as a non-meraki peer between the MX) migrates to the MX. Since I can't use Auto VPN, I wonder if the non-Meraki IPSec peer works for 2 MXes in the same organization.
Thanks.
Yes you can, but you will lose the benefits of auto VPN.
Just a note, if they are in the same organization both cannot be HUBs.
The more I think about this - probably no.
To configure a non-Meraki VPN you first have to enable AutoVPN. As soon as two sites have AutoVPN enabled, they will talk to each other via AutoVPN.
So I am going to say no.
Thanks @alemabrahao @PhilipDAth for the replies.
I think I can get this working and would give it a try:
- I have the 2 sites that definitely will be spoke, so should be fine.
- I have multiple VLANs. I just need one VLAN to be disabled with AutoVPN, but then use non-Meraki IPsec peer to reach the same "disabled AutoVPN VLAN" on the other site. I have another VLAN that goes back to the AutoVPN that can reach to Hubs.
The reason for this complicated design is due to the another issue I posted on the other thread, which AutoVPN enabled VLAN breaks port forwarding. Even I am using split tunnel, I can never get port forwarding to work. And the port forwarding requirement is something I cannot ignore.
Replying to myself. Turning off the VLAN for Auto VPN does not work in my case. As turning off Auto VPN automatically breaks the IPSec tunnel.
I have opened a case to investigate the issues.