Meraki

Community

Non-Meraki VPN peering - only use a specific local IP-subnet in Phase2

Solved
whistleblower
Building a reputation
‎Jul 14 2023 6:09 AM
‎Jul 14 2023 6:09 AM

Non-Meraki VPN peering - only use a specific local IP-subnet in Phase2

Hi,

 

I´ve to configure a Site-to-Site VPN Tunnel between a Meraki MX and Non-Meraki VPN Peer...
On the MX there are a bunch of IP-Subnets configured locally but I only want to use one out of them as local one to communicate with the remote side! How can this be achived? Because if my understanding is correct per default all subnets org-wide are used or I´m wrong?

0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
‎Jul 14 2023 6:28 AM
‎Jul 14 2023 6:28 AM

Once the networks are Enabled in the VPN configuration, they will automatically be advertised in the tunnel.
 
If you want to remove it, you have to disable it, but it will not participate in Auto VPN either.

 

alemabrahao_0-1689341318838.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

5 Replies 5
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 14 2023 6:26 AM
‎Jul 14 2023 6:26 AM

Hi @whistleblower   That is unfortunately a downside of the MX's.  You could use the site-to-site firewall rules to restrict comms.  I can't remember if its Org wide or just Network wide for the subnets piece.

 

 

 

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
alemabrahao
Kind of a big deal
‎Jul 14 2023 6:28 AM
‎Jul 14 2023 6:28 AM

Once the networks are Enabled in the VPN configuration, they will automatically be advertised in the tunnel.
 
If you want to remove it, you have to disable it, but it will not participate in Auto VPN either.

 

alemabrahao_0-1689341318838.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
whistleblower
Building a reputation
‎Jul 14 2023 7:36 AM
‎Jul 14 2023 7:36 AM

OK, thanks for clarification!

0 Kudos
whistleblower
Building a reputation
‎Aug 3 2023 4:56 AM
‎Aug 3 2023 4:56 AM

I´d like to ask one more question regarding that topic... I always thought that in the Phase2 of a Site-to-Site VPN connection the parameters like the Local- and Remote IP-Subnets have to match on both VPN-Peers which should form the tunnel?! How does the Meraki MX know which local IP-Subnet the remote site VPN-Peer will need to know or is the MX sending all "enabled" VPN Networks in the Phase2 for a SA? If so, isn`t this a potential security issue when peering with Non-Meraki VPN peers?

0 Kudos
In response to whistleblower
alemabrahao
Kind of a big deal
‎Aug 3 2023 5:19 AM
‎Aug 3 2023 5:19 AM

It will send all networks that have VPN mode enabled, I don't know the engineering behind it, because Non-Meraki VPN is very limited, so it would be better to contact Meraki.
 
Not sure if it would work, but limiting via L3 firewall rules is a possible solution if you don't feel secure.
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.