Redundant IPSec VPN with AWS

Building a reputation

Redundant IPSec VPN with AWS

I have one pair of MX configured as Warm-Spare without WAN VIP.

On the AWS side, I've created two VPN Tunnel and each tunnel's peer is MX#1(with CGW#1) and MX#2(with CGW#2). When I did configuring, MX#2 was primary device.

According to MX's working mechanism, only primary device establish VPN connection. Thus, while AWS tries CGW#1<=> MX#1 and CGW#2 <=> MX#2, MX side tries MX#2 <=> CGW#1/2.




After configuring, VPN tunnel CGW#2 <=> MX#2 goes up and running well. Next hop for AWS VPC was CGW#2. I was able to ping to EC2 instance.


Problem comes up when failover occures.

After MX#1 became primary, MX#1 tries to establish VPN connection with CGW#1 and CGW#2. On the AWS side, still tries CGW#1<=> MX#1 and CGW#2 <=> MX#2. Therefore only VPN tunnel between CGW#1 <=> MX#1 comes up.




It looks ok on first sight. VPN tunnel for CGW#1 <=> MX#1 is up and CGW#2 <=> MX#2 is down. But I was unable to ping to EC2. When I checked routing table, next hop for AWS VPC was still CGW#2 untill remove CGW#2 <=> MX#2 from Non-Meraki VPN peer configuration or make MX#2 as primary. After MX#2 became primary again, everything back to normal and able to connect to EC2.


Is there any way to achive AWS <-> Meraki IPSec VPN redundancy with warm-spare configuration? I asked this situation to my local Cisco Meraki engineer, and he says that I have to configure WAN VIP to make it redundant. But if I do that, I can't achive ISP redundancy. Is WAN VIP only solution?

1 Reply 1
Kind of a big deal
Kind of a big deal

You wont be able to achieve both MX and ISP redundancy with a VPN to Amazon using this method.


If it is that important to you I would change to using the VMX in Amazon.  This will be far the simplest solution.


You could use two active/active MX in VPN concentrator mode, then put them behind a warm spare pare of MX (these two MX could run active/active as well if you like).  Then use a layer 3 switch and a dynamic routing protocol between the two MX in VPN concentrator mode.

If you are using warm spare mode and this type of configuration you really want both ISPs to plug into both MX to keep NAT simple.


If you want another complicated solution and don't mind running a script somewhere you could also consider using tag based VPN failover.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.