Non-Meraki VPN Peer to Meraki Mesh VPN

Solved
BreckpointIT
Here to help

Non-Meraki VPN Peer to Meraki Mesh VPN

Hi guys,

 

First time posting, and new to Networking, and got myself into an interesting predicament.... 🙂

 

Our company is an offshoot to a main office in another state. We got an MX95 and 30 Z3's to get all our remote users connected for our office. The HQ office hosts the domain controller. From our office to the HQ office we got the Non-Meraki site to site working perfectly, and then I found out that the Non-Meraki peer cant act as a spoke in the VPN. Oops...  The other site wont be upgrading their firewall anytime soon. We decided to send one of the Z3's to that site.

My questions are:

 

Will Meraki automatically pick up the subnets on the other side, or do I need to point them? OSPF?

 

Will I have to disconnect the Non-Meraki connection for the Z3 on site with them to work properly?

 

I'm assuming based on the above that the Client VPN will have to be set up on the Z3 at the HQ site. Once the mesh is working correctly, will the client VPN be able to be the MX at our office?

 

 

I hope that's not too confusing. This project was dropped in my lap, and I've been learning as I go.

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Run the Z3 in VPN concentrator mode.  It only uses a single interface (Internet) in this configuration and all routing is done via that.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

Have the main site install it behind their firewall.  Have them add static routes on their firewall pointing to the Z3 for everything in the Meraki network.

In the dashboard for the Z3, you add "Local" routes to say what to send to that site.  It will send all of that traffic to their firewall.

 

When you do the above you'll delete the non-Meraki VPN.

 

The client VPN will be able to be to the MX at your office, and will be able to access everything.

View solution in original post

4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal

Run the Z3 in VPN concentrator mode.  It only uses a single interface (Internet) in this configuration and all routing is done via that.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

Have the main site install it behind their firewall.  Have them add static routes on their firewall pointing to the Z3 for everything in the Meraki network.

In the dashboard for the Z3, you add "Local" routes to say what to send to that site.  It will send all of that traffic to their firewall.

 

When you do the above you'll delete the non-Meraki VPN.

 

The client VPN will be able to be to the MX at your office, and will be able to access everything.

BreckpointIT
Here to help

"Have them add static routes on their firewall pointing to the Z3 for everything in the Meraki network."

 

Do you mean the Meraki internal subnets? Ie, the MX and the Z3 subnets?

PhilipDAth
Kind of a big deal
Kind of a big deal

Correct.  Plus the client VPN subnet.

BreckpointIT
Here to help

Awesome! Thank you so much!! I really appreciate your help.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels