Redundant non-Meraki VPN Peers

Solved
markus_albisser
Here to help

Redundant non-Meraki VPN Peers

Hi all

 

We have a site with two Meraki MX appliances, with two redundant Internet links. Therefore we have two public IP addresses on each MX, one from each provider (gives a total of 4 public IP addresses in this site).

 

Within the other site, we have the same setup, but the two Internet links terminates on Cisco SD-WAN routers. Also here, total 4 public IP addresses.

 

How can I configure now the non-Meraki VPNs so that I can guarantee the redundancy, should one provider or or one Cisco SD-WAN router fail? Do I have to setup four different non-Meraki VPN peers on the MX side? All with the same destination subnet, which can be 10.0.0.0/8 for example? Is this clear for the MX that all these four VPNs are for the same traffic, but only one should be chosen. In fact, I should have four peer IPs within one VPN rule on the MX.

 

Is this possible?

 

Thank you

Markus

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

I was going to say you can't.  You can't using only the GUI dashboard.

 

You would have to use a script and use something like tag-based failover, which is reasonably complex.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

 

I'm guessing these MXs are in different orgs, so you can't use AutoVPN, which handles all of this automatically?

 

View solution in original post

2 Replies 2
PhilipDAth
Kind of a big deal
Kind of a big deal

I was going to say you can't.  You can't using only the GUI dashboard.

 

You would have to use a script and use something like tag-based failover, which is reasonably complex.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

 

I'm guessing these MXs are in different orgs, so you can't use AutoVPN, which handles all of this automatically?

 

markus_albisser
Here to help

Hi Philip

Thank you for your answer. If this is the solution, then definitively not an easy one. Instead of using a non-Meraki VPN peer, I guess I have to think if an installation of an MX appliance in parallel to the SD-WAN routers so that I could use the Auto-VPN, this would solve this issue. At least for all devices within the same dashboard, for the one which resides in China and goes to the Chinese dashboard.

Thank you

Markus

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels