cancel
Showing results for 
Search instead for 
Did you mean: 

Route Specific Traffic over VPN

SOLVED
Here to help

Route Specific Traffic over VPN

Hello, I have 2 sites connected to each other currently using the auto-vpn functionality. The Hub is running an MX84 and the Spoke an MX68. Due to the nature of the internet usage some traffic has to be routed to the hub site while the rest is normal internet usage. Currently I have it set up at the spoke site to use the hub as a default route as I cannot seem to route traffic destined for specific IP addresses only through the VPN. The issue with this is that all internet traffic is sent over the VPN and it has cut download speeds in half. Ideally I want to set up routes for traffic that is only trying to reach specific IP addresses to be sent to the hub site. I understand that this might not be possible with the auto-vpn and that I may have to set up a site to site vpn manually. I am happy to do this if it solves my issue but I need to know how to set up the static routes once the non-meraki site-to-site vpn is in place.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Conversationalist

Re: Route Specific Traffic over VPN

Hey Phil,

 

yes, you need to create the routings on the destination Router (for LAN Addresses).

Since you want to reach WAN-Addresses you would need Policy Based routes, which the Meraki is not capable of Smiley Sad

So unfortunately I don't think that this is possible with Meraki atm :/

Sorry I couldn't help more

 

Greetiungs

Sascha

10 REPLIES 10
A model citizen

Re: Route Specific Traffic over VPN

Here to help

Re: Route Specific Traffic over VPN

Hi MarcP,

 

Thanks for your reply.

 

Flow preferences seem to only allow you to select wan 1 or wan 2 as the route for the traffic. I can't see a way to say specific traffic only uses the VPN. Unless I am missing something. The screen shot below shows that the preferred uplink is only wan1 or wan2. If there was an option there for vpn then I think it would work. flow preferences.png

Conversationalist

Re: Route Specific Traffic over VPN

Hi Phil,

 

normaly you should be able to achive this, by adding the desired networks into the Security Assosiations (SA) of the MX84. So you need to have a route for these networks under Addressing and VLAN in the MX84. This way you can set them in you SAs on MX84 site so they are published to the MX68.

 

Steps:

- Add networks you want to reach on MX84 under Addressing and VLANs

- set the in VPN marker

Then you should be able to remove the "default GW" and be able to have the local internet breakout and reach your servers

Here to help

Re: Route Specific Traffic over VPN

Hi el_pajaro_bobo,

 

This sounds promising, I shall give this a go and report back. Could you clarify what you mean by "VPN marker"?

 

Many thanks,

 

Phil

Here to help

Re: Route Specific Traffic over VPN

Also, I assume I am adding the subnets from the spoke site (MX68) to the subnets section under addressing and vlans?

Here to help

Re: Route Specific Traffic over VPN

I think I worked out what you mean by "VPN marker". When I try to add a vlan for the destination network it wants me to add an ip for the mx, the router doesn't have an ip on this range so I am unsure what I should add.

 

Thanks for your time.

Conversationalist

Re: Route Specific Traffic over VPN

I mean the "in VPN" Checkbox which you can mark by adding a route.VPN.png

So by adding the route you say the meraki over which router it can reach this specific network. For example you got a router A and router B, router A has a route to B and knows which subnets are behind this specific router. Let's suppose your Meraki is behind router A. You need to let the Meraki know which subnets can be reached through router A, otherwise it only knows about the directly connected ones. I've made a little drawing to hopefully clear things up a little Smiley Happy

 

If you take my drawing your routing table would look like this (with static routing):

Meraki:

192.168.10.128/25 -> Router A

192.168.0.0/24 -> Router A

172.16.0.0/16 -> Router A

10.0.0.0/8 -> Router A

192.168.20.128/25 -> directly connected

 

Router A (the left one):

192.168.10.128/25 -> directly connected

192.168.0.0/24 -> Router B

172.16.0.0/16 -> Router B

10.0.0.0/8 -> Router B

192.168.20.128/25 ->Meraki

 

Router B (the right one):

192.168.10.128/25 -> Router A

192.168.0.0/24 -> directly connected

172.16.0.0/16 -> directly connected

10.0.0.0/8 -> directly connected

192.168.20.128/25 -> Router A

routing.PNG

And then you should be able to reach the Server Smiley Happy

Have you already tried to ping the Server from the Meraki connected to the network of it?
If the ping is possible you can add the Network to the Site-2-Site Firewall rules and this will create the route described above Smiley HappyFirewall-rules.PNG

Also your daily dose of kb and routing https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Route_Priority

Here to help

Re: Route Specific Traffic over VPN

Hi el_pajaro_bobo,

 

Thank you so much for all your help. This really helping to clear things up. In my case the addresses that the spoke site (mx68) is trying to reach are internet addresses not local networks. The hub site has an NHS broadband connection and the addresses are only available via this. On the mx84 there are traffic shaping rules to make sure that clients trying to access the NHS services use the NHS broadband (wan2 in this case). I would assume from your instructions that I could create a static route on the spoke (mx68) saying NHS traffic go to the mx84. However if I enter an internal IP address of the mx84 into the static route on the spoke router then it says the next hop address is invalid. Can I create static routes to the other MXs inside the auto vpn, or does this need to be done from the destination router so the mx84 in this case?

 

Thanks again,

 

Phil

Conversationalist

Re: Route Specific Traffic over VPN

Hey Phil,

 

yes, you need to create the routings on the destination Router (for LAN Addresses).

Since you want to reach WAN-Addresses you would need Policy Based routes, which the Meraki is not capable of Smiley Sad

So unfortunately I don't think that this is possible with Meraki atm :/

Sorry I couldn't help more

 

Greetiungs

Sascha

Here to help

Re: Route Specific Traffic over VPN

Hi Sascha,

 

Thanks for trying, I did see the same conclusion on a different forum but your explanation is much clearer, thank you for taking the time.

 

Phil

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.