Meraki

manzies

Hi

Is it possible to set up a non Meraki VPN without it connecting to Meraki Devices?

Scenario is MX-1 will be deployed soon, I only want it to have a S2S VPN with the non Meraki device

MX-2 and MX-3 use AutoVPN now

thanks

MaghM

If you do mean you would like only MX1 to participate in the Non-Meraki VPN, then yes, you could filter which network would like to be available for this, will add the below documentation:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peers

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

alemabrahao

In any case, a non-Meraki VPN does not participate in AutoVPN.

To do this, you would need to configure a tunnel with each MX.

"An MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers will not route traffic between other Auto VPN peers and the non-Meraki VPN peers unless BGP routing over IPsec VPN is enabled for the latter."

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

manzies

Hi

Yes I know the VPNS are separate, but what I mean is, to configure the S2S VPN on MX1, I need to turn it with the radio button. Which then makes it an auto VPN hub or spoke, there doesn't seem to be a way to do S2S without that. Basically get it to act like simple S2S VPN device and not attempt to join the Auto VPN overlay.

Putting it in another org is an options I guess

thanks

alemabrahao

Exactly, you won't be able to do that, but I still don't understand what you're trying to "avoid"?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

rhbirkelund

When setting the Site-to-Site VPN settings on MX-1 to spoke or hub, it will begin to participate in the AutoVPN topology between MX-2 and MX-3, assuming all three MX's are in the same Organization.

I'm not sure if you can have Meraki Support disable AutoVPN on MX-1 in the backend. You'll have to open a case, to clarify that.

However, I'm rather certain that if you do not enable subnets on MX-1 to participate in the AutoVPN, these subnets will not be advertise to MX-2 and -3. However, MX-2 and -3 will advertise their subnets to MX-1. So you'll still need to have unique subnetting on all three sites. As long as you have the Private Subnets configured in the VPN configuration for your peer, as well as the other way around, it should be OK.

When configuring Non-Meraki VPNs, the configuration will be organization-wide, meaning that MX-2 and -3 will also being to initiate a VPN connection to your peer. However, you can control this by using Availability tags. Tagging the Network that should have the Non-Meraki VPN, and setting this tag in the Availability field on the VPN configuration, will ensure that it will only be MX-1 that initiates a VPN to your peer.

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

rhbirkelund

And so, I stand corrected by @GIdenJoe 🙂

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

GIdenJoe

I didn't even see your post when I was posting so I believe we posted on the same time 😉
The info provided by our friend @alemabrahao is based on a misunderstanding that OP wants to route between auto and non meraki VPN.

The way the MX knows which local subnets to potentially explose to the non-meraki peer is by enabling them on the AutoVPN settings. So in any case the subnet is explosed whether you want it or not but the outbound firewall rules can handle this just fine.

I only wish Meraki would finally separate the two types of VPN because this is a shortcoming in the VPN settings since you always expose your local subnets even to other Non-Meraki VPN peers even when they don't need it. Luckily the non-Meraki VPN negotiation has been solid for quite a few major MX versions now and we don't see any issues where there is a mismatch between the remote side only needing one of our subnets while we expose multiple of our subnets. The phase 2 SA's seem to negotiate just fine.

If they would just completely seperate the config between non-Meraki and AutoVPN that would actually simplify things alot!!!!! And give us our route based VPN's without needing BGP now please!

GIdenJoe

I believe the information that is given is mostly wrong.
You can only have a MX device participate in Non-Meraki VPN by either enabling AutoVPN Hub mode or Spoke mode and select a hub AND you have to provide local networks.

So yes your MX will make at least 1 tunnel to another MX in the same org.
However as @MaghM has pointed out. You can configure site-to-site outbound VPN rules to prevent hosts behind the Non-Meraki VPN MX device to communicate with other branches.

Meraki

Community

Non Meraki VPN & AutoVPN

Non Meraki VPN & AutoVPN