Meraki

Community

Non-Meraki IPSec peer between 2 MXes in the same org

svenus1977
Just browsing
‎Apr 10 2023 2:37 AM
‎Apr 10 2023 2:37 AM

Non-Meraki IPSec peer between 2 MXes in the same org

Hello experts,

 

 Can I establish IPSec peer between 2 MXes within the the same org, rather than going onto Auto VPN?  

 

 I was having issue that Auto VPN breaks the port forwarding config:

 https://community.meraki.com/t5/Security-SD-WAN/Port-forwarding-not-working-on-MX67/m-p/190775

 

 But eventually, I need to keep the IPSec tunnel going when the other site (currently an old Cisco router, setup as a non-meraki peer between the MX) migrates to the MX.  Since I can't use Auto VPN, I wonder if the non-Meraki IPSec peer works for 2 MXes in the same organization.  

 

  Thanks.

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 10 2023 3:39 AM
‎Apr 10 2023 3:39 AM

Yes you can, but you will lose the benefits of auto VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 10 2023 3:56 AM
‎Apr 10 2023 3:56 AM

Just a note, if they are in the same organization both cannot be HUBs.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 10 2023 2:14 PM
‎Apr 10 2023 2:14 PM

The more I think about this - probably no.

 

To configure a non-Meraki VPN you first have to enable AutoVPN.  As soon as two sites have AutoVPN enabled, they will talk to each other via AutoVPN.

 

So I am going to say no.

0 Kudos
svenus1977
Just browsing
‎Apr 10 2023 4:28 PM
‎Apr 10 2023 4:28 PM

Thanks @alemabrahao @PhilipDAth for the replies. 

 

I think I can get this working and would give it a try:

- I have the 2 sites that definitely will be spoke, so should be fine.

- I have multiple VLANs.  I just need one VLAN to be disabled with AutoVPN, but then use non-Meraki IPsec peer to reach the same "disabled AutoVPN VLAN" on the other site.  I have another VLAN that goes back to the AutoVPN that can reach to Hubs. 

 

The reason for this complicated design is due to the another issue I posted on the other thread, which AutoVPN enabled VLAN breaks port forwarding. Even I am using split tunnel, I can never get port forwarding to work.  And the port forwarding requirement is something I cannot ignore. 

0 Kudos
In response to svenus1977
svenus1977
Just browsing
‎Apr 10 2023 10:31 PM
‎Apr 10 2023 10:31 PM

Replying to myself.  Turning off the VLAN for Auto VPN does not work in my case. As turning off Auto VPN automatically breaks the IPSec tunnel. 

 

I have opened a case to investigate the issues. 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.