Non meraki Site-to-Site VPN available in a Mesh network with other VPN participants

SOLVED
Jose_
New here

Non meraki Site-to-Site VPN available in a Mesh network with other VPN participants

Hi here,

 

I'm having a weird issue, I'm not new to Cisco or networking but pretty new to Meraki. I'm finding it a bit annoying for this kind of stuff, but maybe it's me used to old school cli... 🙂 Anyway my problem is:

 

HQ concentrator (10.20.0.0/16) set up to be a mesh with a VPN connection Site-to-Site (AWS) restricted to just create the tunnel from the main MX concentrator.  This works fine, vpn connection UP and everything working from local network, even everything working from client-vpn network.  (TAG configured so only this MX establish the tunnel).

 

Z1 appliance (10.150.3.0/24) configured to be as Spoke to connect to Hub "HQ conectrator" (10.20.0.0/16)(Ticked as default route). This works fine as well, I can contact the spoke and everything runs as expected.

 

Problem comes when Z1 tries to contact AWS. I will expect the traffic to be as follows.
Z1 --> Default route --> HQ --> Site-to-Site VPN --> AWS

AWS --> Site-to-Site VPN --> HQ --> Meraki VPN --> Z1

 

I can see traffic being sent from Z1 to HQ but that's it. I cannot contact AWS. I've checked from AWS site... all correctly configured (including route back). I even started a traffic monitoring to see if the traffic was arriving but not leaving... nothing.

 

I'm not sure if what Meraki is expecting to happen is that ALL the appliances that want access to the site-to-site VPN will establish their own tunnel, which is mad.... or is just that I'm missing something. I don't even know how to start troubleshooting 🙂

 

Thanks in advance

1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

Hey @Jose_,

 

If I understand correctly, you're hitting this limitation:

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_...

 

There's no good solution here, but this fellow offers one approach to solving it:

 

https://www.willette.works/merging-meraki-vpns/

 

 

View solution in original post

2 REPLIES 2
jdsilva
Kind of a big deal

Hey @Jose_,

 

If I understand correctly, you're hitting this limitation:

 

https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_...

 

There's no good solution here, but this fellow offers one approach to solving it:

 

https://www.willette.works/merging-meraki-vpns/

 

 

This is exactly what I was looking for. I read the documentation regarding VPN and I couldn't see it. Thanks for the info, it was driving me crazy! 

 

Thanks as well for the link to the alternative solution, I think what I will do is put another device to terminate the external VPNs and use Meraki just to mesh our internal org network.

 

Thanks!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels