Non Meraki Site/Site VPN advertise network to downstream MX devices.

Getting noticed

Non Meraki Site/Site VPN advertise network to downstream MX devices.

I have a meraki to non meraki s2s VPN. I would like to advertise the network at the remote (non meraki) site to the rest of my Meraki sites. I dont want to manage VPN's from every Meraki site to this 1 non meraki site. Is there a way to advertise that non meraki VPN network out of the Meraki site where the VPN terminates?





6 Replies 6
A model citizen

First, make sure that the Non-Meraki site is allowing traffic from your other sites. Next, go to Security appliance > Site-to-site VPN. Under the Organization-wide settings, find your non-Meraki VPN peer that you wish to be accessible to all networks. Under the availability section, set it to All Networks.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@Mr_IT_GuyThanks for the response! 

I think if i select "all networks" all of my meraki sites will VPN into that non meraki site. I am trying to make that non meraki site reachable by going though the 1 meraki site the is VPN connected to the non meraki site. I think i need to be able to put in a static route that points down the non meraki vpn tunnel and then pass that route to the rest of my meraki sites, so far i havent seen any way to do that. 

Kind of a big deal

@bholmes12 You're correct about what the "all networks" option does for non-Meraki VPN peers. It's meant to control which MXen try to establish VPN connections to that peer. 


Have you tried putting in static routes on your other MXen that are not connected to the non-Meraki peer? This may be the only way to get routes to the non-Meraki peer throughout your network. I don't believe there's an officially supported way currently to advertise non-Meraki peer routes. 


@MRCURGave that a shot, but the dashboard spits out an error about an invalid next hop. I was using the outside interface GW as the next hop. Even if it took the route i dont think the MX would know to put that traffic into the proper VPN tunnel. 

Kind of a big deal

@bholmes12 Do you have the option of letting each MX connect to the non-Meraki peer? Sounds like that's the only way for this to work. 


I don't manage the other peer, and i have 50+ sites running MX's, so it would be a pretty big challenge for me to work though. 


It looks like in this case i am going to have to move the tunnel off the MX and onto an ASA. 



I have also made a wish for this functionality in the future. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.