Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

SOLVED
mpgioia
Here to help

Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

I have a basic setup.

4 x Meraki MX's across 4 sites.  All talking to each other via Meraki S-2-S VPN.

Under ../manage/configure/vpn_settings I have the networks propagated with the drop down of 'VPN participation' : 'On'... they are two wide /16 networks.

One of those four Meraki sites.  has an additional peer to a Non-Meraki VPN implementation.

I have three new routes (3 x more specific /24's in those greater /16 network's defined above) defined on the MX interfaces so I can also set the 'VPN participation' : 'On' for them too.

Set up the peer as per normal. 

 

Here's the kicker. The far end implementation is seeing Phase 1 pass no probs, and even Phase 2, but then complaining of propagated proxy id's. 

It's seeing one of the wide /16 networks. 

Half understandable.. because.. for some reason.. we can't specify NEAR subnets in the non-meraki VPN peer setup ? Only FAR subnets ? (via the 'private subnets' field) ?!

Surely, there's a way to do this...

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Agreed @mpgioia it is a pain.  I sometimes add in a Cisco ASA/router to a solution just to cover off this case when their is anything more complex than "simple" site to site VPNs.

View solution in original post

7 REPLIES 7
jdsilva
Kind of a big deal

The near end subnets are the same as the subnets marked an "in VPN" for the AutoVPN section. You can't specify a different set for each VPN type. 

I'm going to have to get the other side to add them in.. (very silly/limiting), and then i'll firewall out the traffic.

.. This is commoditised IPSEC S-2-S capability.. amazed you can't have a NEAR/FAR specified set per peer..

You can have FAR per peer.. but not NEAR.. :facepalm

PhilipDAth
Kind of a big deal
Kind of a big deal

Agreed @mpgioia it is a pain.  I sometimes add in a Cisco ASA/router to a solution just to cover off this case when their is anything more complex than "simple" site to site VPNs.

Surely the two of you have raised this as 'make a wish' or whatever that feature is in the console/dashboard ? Or is there an 'ideation' area in the community for such a thing ?

How do we get Meraki to inject this into its development cadence.  The merit is blindingly obvious to attack..

jdsilva
Kind of a big deal

I personally have not... I don't disagree with you on this, but my wish list has other items on it that are more important to me. But, I can certainly toss a wish in to help your cause along 🙂

I can do it.. No biggie.

jdsilva
Kind of a big deal

The more wishes the better the visibility 🙂

 

If you have a Meraki rep you deal with make sure they hear this too. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels