Non-Meraki VPN peering - only use a specific local IP-subnet in Phase2

Solved
whistleblower
Building a reputation

Non-Meraki VPN peering - only use a specific local IP-subnet in Phase2

Hi,

 

I´ve to configure a Site-to-Site VPN Tunnel between a Meraki MX and Non-Meraki VPN Peer...
On the MX there are a bunch of IP-Subnets configured locally but I only want to use one out of them as local one to communicate with the remote side! How can this be achived? Because if my understanding is correct per default all subnets org-wide are used or I´m wrong?

1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal

Once the networks are Enabled in the VPN configuration, they will automatically be advertised in the tunnel.
 
If you want to remove it, you have to disable it, but it will not participate in Auto VPN either.

 

alemabrahao_0-1689341318838.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

5 Replies 5
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @whistleblower   That is unfortunately a downside of the MX's.  You could use the site-to-site firewall rules to restrict comms.  I can't remember if its Org wide or just Network wide for the subnets piece.

 

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
alemabrahao
Kind of a big deal
Kind of a big deal

Once the networks are Enabled in the VPN configuration, they will automatically be advertised in the tunnel.
 
If you want to remove it, you have to disable it, but it will not participate in Auto VPN either.

 

alemabrahao_0-1689341318838.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
whistleblower
Building a reputation

OK, thanks for clarification!

whistleblower
Building a reputation

I´d like to ask one more question regarding that topic... I always thought that in the Phase2 of a Site-to-Site VPN connection the parameters like the Local- and Remote IP-Subnets have to match on both VPN-Peers which should form the tunnel?! How does the Meraki MX know which local IP-Subnet the remote site VPN-Peer will need to know or is the MX sending all "enabled" VPN Networks in the Phase2 for a SA? If so, isn`t this a potential security issue when peering with Non-Meraki VPN peers?

alemabrahao
Kind of a big deal
Kind of a big deal

It will send all networks that have VPN mode enabled, I don't know the engineering behind it, because Non-Meraki VPN is very limited, so it would be better to contact Meraki.
 
Not sure if it would work, but limiting via L3 firewall rules is a possible solution if you don't feel secure.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.