Non-Meraki Site-to-site VPN

SOLVED
Paul_kanm
Here to help

Non-Meraki Site-to-site VPN

Hello everybody,

I won't take long, here is a summary of my problem

I have 6 Z3 connected thanks to the native VPN merki to an MX.
I created an ipsec tunnel between a remote infrastructure and the MX.
I manage to access the MX network but I cannot access the Z3 networks which are all connected to the MX.
Can you help me please?

1 ACCEPTED SOLUTION

Accepted Solutions
KarstenI
Head in the Cloud

Re: Non-Meraki Site-to-site VPN

Exactly, from the MX-view, it is just a routing-hop to that device that provides the VPN-access to these networks. For the placement of this device, it can be anywhere what is reachable from the MX. I like to place the public interface of the VPN-device in the public network, the internal interface is placed in an MX-DMZ.

View solution in original post

8 REPLIES 8
ww
Kind of a big deal
Kind of a big deal

Re: Non-Meraki Site-to-site VPN

You need a non meraki tunnel to all devices.

 

Look here for  : AutoVPN + non-Meraki VPN Integration Considerations

 

https://www.willette.works/merging-meraki-vpns/

 

KarstenI
Head in the Cloud

Re: Non-Meraki Site-to-site VPN

I use an additional ASA (or now Firepower Appliance) for all these Extranet VPNs. Yes, it's not part of your dashboard-network, but it makes the VPNs more secure and more flexible.

Paul_kanm
Here to help

Re: Non-Meraki Site-to-site VPN


Thank you, i will check this

Paul_kanm
Here to help

Re: Non-Meraki Site-to-site VPN

I looked at the link but isn't there a solution without needing to buy another MX

KarstenI
Head in the Cloud

Re: Non-Meraki Site-to-site VPN

It doesn't have to be another MX. Any device (physical or virtual) that can provide VPN-services will do the job. But it can't be the MX that you already have in your network.

Paul_kanm
Here to help

Re: Non-Meraki Site-to-site VPN

Thank you for the answer
If I understand your solution correctly, the tunnel that I have to create must not be between my data center on NSXedge and the meraki? I have to use a firewall (pfsense for example) behind the meraki to create the tunnel with my remote infrastructure

KarstenI
Head in the Cloud

Re: Non-Meraki Site-to-site VPN

Exactly, from the MX-view, it is just a routing-hop to that device that provides the VPN-access to these networks. For the placement of this device, it can be anywhere what is reachable from the MX. I like to place the public interface of the VPN-device in the public network, the internal interface is placed in an MX-DMZ.

View solution in original post

Paul_kanm
Here to help

Re: Non-Meraki Site-to-site VPN


Thank you very much,
I will propose this solution to my superiors because it is the only solution available in my case

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.