cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non Meraki VPN peer with AWS

BT1
Here to help

Non Meraki VPN peer with AWS

Hello, I created one non meraki VPN tunnel with AWS(ports allowed 500, 4500 (Both TCP and UDP)).

 

I only get the below messages in event log but dont get the phase 2 negotiation and IP sec SA established message.

1> msg: initiate new phase 1 negotiation

2> msg: ISAKMP-SA established

 

However, I find the non meraki VPN peer tunnel up in VPN status and also see the routes are listed for private subnets(for non meraki peer) in route table.

 

At client side tunnel is down only. Not sure what is the issue? why IP sec SA is not being established here.

5 REPLIES 5
MickeyPhelps
Here to help

Re: Non Meraki VPN peer with AWS

I've been doing a lot of testing to get our AWS TGW VPNs connected to Meraki.  

Here's what I've found:

1.  Make sure that your params match *exactly*.   I have mine set to sha256, aes256, and dh14 exclusively.

2.  I removed the optional local IP data from the VPN fields. 

3.  Establish a route from an inside client and start a continuous ping.   Theoretically AWS using IKE2 can establish the tunnel from their side, but our Meraki is going through a NAT'd internet gateway so there's no path to establish from the AWS side.

4.  Ensure that your VPN on the AWS side uses the 0.0.0.0/0 subnet for local and remote subnet

5.  Ensure that your VPN on the AWS side has an associated route table with your meraki side internal networks (NATed?) pointing to the VPN and your AWS VPC destinations.

 

I was able to get mine running.

 

Also - using a lamda to update the Meraki destination VPN IP in case of an AZ failure.

BT1
Here to help

Re: Non Meraki VPN peer with AWS

Please can you elaborate point 2 and 5 as I didnt get them.

MickeyPhelps
Here to help

Re: Non Meraki VPN peer with AWS

Point 2:   I removed the optional local IP data from the VPN fields. 

Local ID and Remote ID in the 3rd party VPN config I just leave blank

 

Point 5:  Ensure that your VPN on the AWS side has an associated route table with your meraki side internal networks (NATed?) pointing to the VPN and your AWS VPC destinations.

Go to your VPN Attachment (I use TGWs) and configure the attachment route table.  Ensure that the Meraki side network address(es) have a route back to the VPN and that your AWS networks have routes to the VPCs.

Same holds true for VPG configurations - VPC route table should point both ways.

BT1
Here to help

Re: Non Meraki VPN peer with AWS

Hello Mickey,

 

See, we have a set up like VPC in AWS is connected to Transit Gateway and then its further connected to Site MX.

 

so you mean to say in transit gateway routing table there should be two kind of routes, AWS networks should be pointed to VPC and Meraki networks should be pointed to customer gateway(MX public IP). Is that right?

 

Also, suggest me what should be the public IP defined in MX non meraki VPN peer. We have mentioned the public IP of VPC but I think it should be some public IP of Transit gateway as MX would be making site to site VPN with TGW not with VPC public IP. Please elaborate..

Thanks a lot in advance.

MickeyPhelps
Here to help

Re: Non Meraki VPN peer with AWS

Sorry - there are 2 ways to set up a VPN to AWS with a Meraki.   Both must be Static as Meraki does not support BGP for Dynamic.

 

1.  Create a Virtual Private Gateway and a Site to Site VPN Connection..

2.  Create a Transit Gateway then create a Transit Gateway Attachment type of VPN.

 

I use option 2 due to our many VPCs and accounts.   It's just easier to route in and out of a TGW from a VPN than to route through a VPC when you're dealing with other accounts.

 

Either way, you'll need a static route table since the Meraki does not support BGP.

 

So, with option 1, you'll add your static routes to the VPN static route table.   Option 2 you will create a TGW Route Table, associate it to your VPN Attachment, and add the static routes there.    Either way, you'll need routes defined in the VPN to point to networks on the other side of the Meraki and on the AWS VPC side.

 

The Public IP on the AWS side is listed in the Configuration Download option for Meraki (as is the public key and such).   The Public IP for the Meraki that you would enter on the AWS VPN side for your customer gateway is Security & SD-WAN > Appliance Status > Uplink (tab) > General Public IP

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.