cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

SOLVED
Here to help

Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

I have a basic setup.

4 x Meraki MX's across 4 sites.  All talking to each other via Meraki S-2-S VPN.

Under ../manage/configure/vpn_settings I have the networks propagated with the drop down of 'VPN participation' : 'On'... they are two wide /16 networks.

One of those four Meraki sites.  has an additional peer to a Non-Meraki VPN implementation.

I have three new routes (3 x more specific /24's in those greater /16 network's defined above) defined on the MX interfaces so I can also set the 'VPN participation' : 'On' for them too.

Set up the peer as per normal. 

 

Here's the kicker. The far end implementation is seeing Phase 1 pass no probs, and even Phase 2, but then complaining of propagated proxy id's. 

It's seeing one of the wide /16 networks. 

Half understandable.. because.. for some reason.. we can't specify NEAR subnets in the non-meraki VPN peer setup ? Only FAR subnets ? (via the 'private subnets' field) ?!

Surely, there's a way to do this...

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

Agreed @mpgioia it is a pain.  I sometimes add in a Cisco ASA/router to a solution just to cover off this case when their is anything more complex than "simple" site to site VPNs.

View solution in original post

7 REPLIES 7
Kind of a big deal

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

The near end subnets are the same as the subnets marked an "in VPN" for the AutoVPN section. You can't specify a different set for each VPN type. 

Here to help

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

I'm going to have to get the other side to add them in.. (very silly/limiting), and then i'll firewall out the traffic.

.. This is commoditised IPSEC S-2-S capability.. amazed you can't have a NEAR/FAR specified set per peer..

You can have FAR per peer.. but not NEAR.. :facepalm

Kind of a big deal

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

Agreed @mpgioia it is a pain.  I sometimes add in a Cisco ASA/router to a solution just to cover off this case when their is anything more complex than "simple" site to site VPNs.

View solution in original post

Here to help

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

Surely the two of you have raised this as 'make a wish' or whatever that feature is in the console/dashboard ? Or is there an 'ideation' area in the community for such a thing ?

How do we get Meraki to inject this into its development cadence.  The merit is blindingly obvious to attack..

Highlighted
Kind of a big deal

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

I personally have not... I don't disagree with you on this, but my wish list has other items on it that are more important to me. But, I can certainly toss a wish in to help your cause along 🙂

Here to help

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

I can do it.. No biggie.

Kind of a big deal

Re: Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

The more wishes the better the visibility 🙂

 

If you have a Meraki rep you deal with make sure they hear this too. 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.