Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non Meraki Site/Site VPN advertise network to downstream MX devices.

bholmes12
Getting noticed
‎Aug 9 2017 8:28 AM
‎Aug 9 2017 8:28 AM

Non Meraki Site/Site VPN advertise network to downstream MX devices.

I have a meraki to non meraki s2s VPN. I would like to advertise the network at the remote (non meraki) site to the rest of my Meraki sites. I dont want to manage VPN's from every Meraki site to this 1 non meraki site. Is there a way to advertise that non meraki VPN network out of the Meraki site where the VPN terminates?

 

 

 

 

0 Kudos
Subscribe
6 Replies 6
Mr_IT_Guy
A model citizen
‎Aug 9 2017 11:41 AM
‎Aug 9 2017 11:41 AM

First, make sure that the Non-Meraki site is allowing traffic from your other sites. Next, go to Security appliance > Site-to-site VPN. Under the Organization-wide settings, find your non-Meraki VPN peer that you wish to be accessible to all networks. Under the availability section, set it to All Networks.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Subscribe
In response to Mr_IT_Guy
bholmes12
Getting noticed
‎Aug 9 2017 11:49 AM
‎Aug 9 2017 11:49 AM

@Mr_IT_GuyThanks for the response! 

I think if i select "all networks" all of my meraki sites will VPN into that non meraki site. I am trying to make that non meraki site reachable by going though the 1 meraki site the is VPN connected to the non meraki site. I think i need to be able to put in a static route that points down the non meraki vpn tunnel and then pass that route to the rest of my meraki sites, so far i havent seen any way to do that. 

0 Kudos
Subscribe
In response to bholmes12
MRCUR
Kind of a big deal
‎Aug 9 2017 6:04 PM
‎Aug 9 2017 6:04 PM

@bholmes12 You're correct about what the "all networks" option does for non-Meraki VPN peers. It's meant to control which MXen try to establish VPN connections to that peer. 

 

Have you tried putting in static routes on your other MXen that are not connected to the non-Meraki peer? This may be the only way to get routes to the non-Meraki peer throughout your network. I don't believe there's an officially supported way currently to advertise non-Meraki peer routes. 

MRCUR | CMNO #12
0 Kudos
Subscribe
In response to MRCUR
bholmes12
Getting noticed
‎Aug 10 2017 4:57 AM
‎Aug 10 2017 4:57 AM

@MRCURGave that a shot, but the dashboard spits out an error about an invalid next hop. I was using the outside interface GW as the next hop. Even if it took the route i dont think the MX would know to put that traffic into the proper VPN tunnel. 

0 Kudos
Subscribe
In response to bholmes12
MRCUR
Kind of a big deal
‎Aug 10 2017 5:09 AM
‎Aug 10 2017 5:09 AM

@bholmes12 Do you have the option of letting each MX connect to the non-Meraki peer? Sounds like that's the only way for this to work. 

MRCUR | CMNO #12
0 Kudos
Subscribe
In response to MRCUR
bholmes12
Getting noticed
‎Aug 10 2017 5:13 AM
‎Aug 10 2017 5:13 AM

I don't manage the other peer, and i have 50+ sites running MX's, so it would be a pretty big challenge for me to work though. 

 

It looks like in this case i am going to have to move the tunnel off the MX and onto an ASA. 

 

 

I have also made a wish for this functionality in the future. 

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.