Meraki

Community

Non-Meraki VPN peer + Meraki autoVPN - routing

Arnout
Conversationalist
‎Dec 15 2018 7:16 AM
‎Dec 15 2018 7:16 AM

Non-Meraki VPN peer + Meraki autoVPN - routing

Hi! 

 

At our company we are using MX appliances for the HQ and the braches. The branches are divided in two business units. Business unit 50 and 3 with there own unique private subnets. The branches are the SPOKE's and at the HQ the MX is set-up as HUB.

 

Now! For an external web services application i need to setup a IPSEC Site-2-Site with Non-Meraki VPN peer. This web services application is only needed for users at the HQ and business unit 50 (about 30 spokes).

 

 

I managed to build the IPSEC to the HQ MX HUB, and i am able to ping the Non-Meraki VPN subnet, but i am unable to reach the Non-Meraki VPN at the spokes. Its just not routing the IPsec VPN traffic. I have attached a diagram of our setup.  Could you please help to find a solution for this. 

 

IPVPN.png

 

Thank in advance.

 

Arnout

 

 

 

 

 

Labels:
0 Kudos
14 Replies 14
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 15 2018 2:51 PM
‎Dec 15 2018 2:51 PM

You can't do that.  You will also need to build the non-Meraki VPN to each spoke.

 

You may find it easier to buy an additional MX and host it where ever the web services application is (if they will allow it).

In response to PhilipDAth
Ahmed_Fathy
Here to help
‎Oct 29 2023 5:44 AM
‎Oct 29 2023 5:44 AM

Dear Philip

 

Is the above solution still the only valid one or there is any better workaround without extra MX appliance? 

0 Kudos
In response to Ahmed_Fathy
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 29 2023 12:10 PM
‎Oct 29 2023 12:10 PM

>Is the above solution still the only valid one

 

Correct.

0 Kudos
In response to PhilipDAth
Seyidoff
Comes here often
‎Mar 17 2024 9:34 AM
‎Mar 17 2024 9:34 AM

 

Hello,if my network is like this what settings should i do on my newly installed meraki device?

 

0 Kudos
In response to Seyidoff
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 17 2024 11:41 AM
‎Mar 17 2024 11:41 AM

Are you able to install your new MX at the cloud provider?

0 Kudos
In response to PhilipDAth
Seyidoff
Comes here often
‎Mar 17 2024 9:41 PM
‎Mar 17 2024 9:41 PM 

I have opened a new dashboard and it is installed.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 15 2018 2:58 PM
‎Dec 15 2018 2:58 PM

Another solution is to buy an additional MX to go at the hub site, but place it in a different organisation.  This should go on the same LAN as your existing hub MX.

 

On the new MX add a static route pointing to your AutoVPN MX that covers all of your subnets.  On your AutoVPN MX add a static route pointing to the remote site to site VPN destination with the new MX as the next hop, and publish this static route into AutoVPN.

 

Then build the site to site VPN to the new MX.

 

 

Voila.  All your spokes now have access.

In response to PhilipDAth
Arnout
Conversationalist
‎Dec 16 2018 2:48 AM
‎Dec 16 2018 2:48 AM

Hi Philip, 

 

Thanks for your response and help :).

I think the solution with the additional MX sounds the best and easiest way.

 

But one question, why should this MX run in a different organisation? 

In response to Arnout
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 16 2018 11:35 AM
‎Dec 16 2018 11:35 AM

>But one question, why should this MX run in a different organisation? 

 

You are going to have to make the new MX an AutoVPN hub (it wont have any spokes) to enable the non-Meraki site to site VPN.  You wont be able to add a static route pointing to the AutoVPN spokes via the other proper hub.  It wont allow it to be added.

Actually, if you get the supernetting correct it may be possible, but it would be safer to put it into another organisation.

 

Actually, this article by Aaron Willette explains it really well.

http://www.willette.works/merging-meraki-vpns/

 

0 Kudos
In response to PhilipDAth
gavins1040
Conversationalist
‎Apr 11 2019 3:25 AM
‎Apr 11 2019 3:25 AM

Hi, 

 

I'm currently setting the below up with a new MX. Just to check should the Non Meraki VPN MX have a separate public IP address from the Meraki AutoVPN MX?

 

0 Kudos
In response to gavins1040
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 11 2019 12:50 PM
‎Apr 11 2019 12:50 PM

If they are two seperate MX units then yes, they should each have their own public WAN IP address.

0 Kudos
In response to PhilipDAth
Toby
Getting noticed
‎May 28 2019 1:22 AM
‎May 28 2019 1:22 AM

Bear with me but shouldn't this work without using a separate MX?

Since the spokes have a default route back to the hub and the hub have the routes to the non Meraki VPN networks, shouldn't the spoke traffic have reachability to the non Meraki VPN networks?
0 Kudos
StarBlink
Here to help
‎Nov 15 2023 5:35 AM
‎Nov 15 2023 5:35 AM

I currently have this situation, does MX 18.107.2 still have this Meraki VPN - Non Meraki VPN routing limitation?

In response to StarBlink
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 15 2023 11:34 AM
‎Nov 15 2023 11:34 AM

Yes.  That won't be changing.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.