I've been doing a lot of testing to get our AWS TGW VPNs connected to Meraki.
Here's what I've found:
1. Make sure that your params match *exactly*. I have mine set to sha256, aes256, and dh14 exclusively.
2. I removed the optional local IP data from the VPN fields.
3. Establish a route from an inside client and start a continuous ping. Theoretically AWS using IKE2 can establish the tunnel from their side, but our Meraki is going through a NAT'd internet gateway so there's no path to establish from the AWS side.
4. Ensure that your VPN on the AWS side uses the 0.0.0.0/0 subnet for local and remote subnet
5. Ensure that your VPN on the AWS side has an associated route table with your meraki side internal networks (NATed?) pointing to the VPN and your AWS VPC destinations.
I was able to get mine running.
Also - using a lamda to update the Meraki destination VPN IP in case of an AZ failure.
Point 2: I removed the optional local IP data from the VPN fields.
Local ID and Remote ID in the 3rd party VPN config I just leave blank
Point 5: Ensure that your VPN on the AWS side has an associated route table with your meraki side internal networks (NATed?) pointing to the VPN and your AWS VPC destinations.
Go to your VPN Attachment (I use TGWs) and configure the attachment route table. Ensure that the Meraki side network address(es) have a route back to the VPN and that your AWS networks have routes to the VPCs.
Same holds true for VPG configurations - VPC route table should point both ways.
See, we have a set up like VPC in AWS is connected to Transit Gateway and then its further connected to Site MX.
so you mean to say in transit gateway routing table there should be two kind of routes, AWS networks should be pointed to VPC and Meraki networks should be pointed to customer gateway(MX public IP). Is that right?
Also, suggest me what should be the public IP defined in MX non meraki VPN peer. We have mentioned the public IP of VPC but I think it should be some public IP of Transit gateway as MX would be making site to site VPN with TGW not with VPC public IP. Please elaborate..
Sorry - there are 2 ways to set up a VPN to AWS with a Meraki. Both must be Static as Meraki does not support BGP for Dynamic.
1. Create a Virtual Private Gateway and a Site to Site VPN Connection..
2. Create a Transit Gateway then create a Transit Gateway Attachment type of VPN.
I use option 2 due to our many VPCs and accounts. It's just easier to route in and out of a TGW from a VPN than to route through a VPC when you're dealing with other accounts.
Either way, you'll need a static route table since the Meraki does not support BGP.
So, with option 1, you'll add your static routes to the VPN static route table. Option 2 you will create a TGW Route Table, associate it to your VPN Attachment, and add the static routes there. Either way, you'll need routes defined in the VPN to point to networks on the other side of the Meraki and on the AWS VPC side.
The Public IP on the AWS side is listed in the Configuration Download option for Meraki (as is the public key and such). The Public IP for the Meraki that you would enter on the AWS VPN side for your customer gateway is Security & SD-WAN > Appliance Status > Uplink (tab) > General Public IP