Non-Meraki Site-to-site VPN

SOLVED
Paul_kanm
Here to help

Non-Meraki Site-to-site VPN

Hello everybody,

I won't take long, here is a summary of my problem

I have 6 Z3 connected thanks to the native VPN merki to an MX.
I created an ipsec tunnel between a remote infrastructure and the MX.
I manage to access the MX network but I cannot access the Z3 networks which are all connected to the MX.
Can you help me please?

1 ACCEPTED SOLUTION
KarstenI
Kind of a big deal
Kind of a big deal

Exactly, from the MX-view, it is just a routing-hop to that device that provides the VPN-access to these networks. For the placement of this device, it can be anywhere what is reachable from the MX. I like to place the public interface of the VPN-device in the public network, the internal interface is placed in an MX-DMZ.

View solution in original post

8 REPLIES 8
ww
Kind of a big deal
Kind of a big deal

You need a non meraki tunnel to all devices.

 

Look here for  : AutoVPN + non-Meraki VPN Integration Considerations

 

https://www.willette.works/merging-meraki-vpns/

 


Thank you, i will check this

I looked at the link but isn't there a solution without needing to buy another MX

KarstenI
Kind of a big deal
Kind of a big deal

It doesn't have to be another MX. Any device (physical or virtual) that can provide VPN-services will do the job. But it can't be the MX that you already have in your network.

Thank you for the answer
If I understand your solution correctly, the tunnel that I have to create must not be between my data center on NSXedge and the meraki? I have to use a firewall (pfsense for example) behind the meraki to create the tunnel with my remote infrastructure

KarstenI
Kind of a big deal
Kind of a big deal

Exactly, from the MX-view, it is just a routing-hop to that device that provides the VPN-access to these networks. For the placement of this device, it can be anywhere what is reachable from the MX. I like to place the public interface of the VPN-device in the public network, the internal interface is placed in an MX-DMZ.


Thank you very much,
I will propose this solution to my superiors because it is the only solution available in my case

KarstenI
Kind of a big deal
Kind of a big deal

I use an additional ASA (or now Firepower Appliance) for all these Extranet VPNs. Yes, it's not part of your dashboard-network, but it makes the VPNs more secure and more flexible.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels