Hi Gang
My company is half way through rolling out Meraki MXs to 200 or so branch sites, replacing the previous MPLS network, using MX68s in smaller sites, MX68 HA pairs in medium sites and MX100 HA pairs in the largest handful of sites. All sites have multiple internet links, of various types and speeds.
We always had in mind to use the beefier MXs and fast, redundant fibre connectivity in those largest sites as sort of consolidation points for onward site-to-site VPN connections to 3rd parties, including in this case our own Azure presence.
(We also have some MX250s deployed purely as VPN concentrators in our legacy datacentres, which are due to be closed by the end of this year.)
I have an MX100 configured as an Auto-VPN hub, so it has routes to all our other pure-spoke branches, as well as the datacentres via hub-meshing. That device also has a non-Meraki, IPSec site to site VPN peer in Azure - just a basic Azure VPN gateway, not an appliance or virtual MX.
But to my astonishment I can't share the route to the Azure subnet, that is present in the MX100 routing table, into Auto-VPN so other sites can access it.
I can't create a static route into the IPSec site-to-site tunnel because that insists that the next hop be layer 2 adjacent. The 'Private Subnets' setting in the non-Meraki peer config does add the route to the device routing table, but there's no option there to put it 'In VPN'
I'm aware that one workaround for this is to implement separate MX gateways for the two types of VPN and use static routing between them on local interlinks, but that seems rather wasteful and I'm bound to ask, if I had a requirement for a pure IPSec VPN appliance, why would I choose a Meraki for that?
Using vMX(es) in Azure would solve these problems, but there the limitation of 250 concurrent VPN tunnels could be a problem - our 200 sites are configured as Active-Active for Auto VPN, so we'd potentially need multiple vMXes and then have to deal with balancing our sites across them, and manage return path routing from Azure.
Has anyone run more than the nominal limit of 250 VPNs on a single vMX100?
cheers
Andy Gray