Non-Meraki VPN peers, will not route traffic between the non-Meraki VPN peers and other AutoVPN peer

GaryShainberg
Building a reputation

Non-Meraki VPN peers, will not route traffic between the non-Meraki VPN peers and other AutoVPN peer

Dear Community,

 

I have been struggling for days with this problem and the called the 24x7 support only to find that apparently this is not supported by Meraki, has anyone come across a solution ?

 

I have been trying to route traffic from a Z1 that is connected to an MX64 via a auto-VPN connection which is then connected to a Non-Meraki site to site VPN, but it appears this can not be done, has anyone come accross this before and found a solution ?

 

This is the para. from a tech note:

 

AutoVPN and Non-Meraki VPN peers

An MX Security Appliance can establish tunnels to both AutoVPN and Non-Meraki VPN peers. The MX will send traffic to those VPN peers using the principles discussed above. However, an MX that builds tunnels to both AutoVPN and Non-Meraki VPN peers, will not route traffic between the non-Meraki VPN peers and other AutoVPN peers.

 
CTO & Solutioneer
CMNA, CMNO, ECMS2
SNSA, SNSP
~~If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.~~
9 REPLIES 9
PhilipDAth
Kind of a big deal

That is correct.

 

Can you also built a VPN between the Z1 and the remote site directly?

 

What sort of application are you wanting to access remotely via the VPN?  A web app using http, an smb file share, something else?

Adam
Kind of a big deal

Can the Z1 be configured to just AutoVPN to the MX64 and then Site to Site VPN to the same destination directly that the MX64 is tunneling to?

Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
ruzaidy
Conversationalist

any idea to overcome this issue? i'm setting up mx64w at hub with multiple spokes, need to reroute traffic from spokes to non meraki vpn peer at hub

PhilipDAth
Kind of a big deal

You can work around it by using an extra MX next to the hub, and use that for the non-Meraki VPNs.

 

You create a static route on the AutoVPN for the remote subnets via the extra MX and say to put those into AutoVPN.  On the extra MX you put a static route pointing to the remote AutoVPN destinations via the hub.

the extra MX need to be part of LAN of 1st MX or can using other public IP?

PhilipDAth
Kind of a big deal

For non-meraki VPNs the extra MX should have a static IP address, or your life might get hard.

 

The AutoVPN hub should ideally have a static IP address, but it is not as critical.

This seems like an overly expensive and complicated solution.

Bruce
Kind of a big deal

@ChristianF site-to-site VPNs with non-Meraki peers are always challenging, but if you know how they work and how to overcome some of the limitations they work just fine. Is there anything specific you are trying to achieve?

this solution works, need to have different box and different dashboard, set the static routing

thanks @PhilipDAth 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels