Meraki

Anonymous · ‎Apr 4 2019

Hello community !!!

I have this question for you: is it possible to route ALL traffic to site-to-site VPN ?

I have an MX65W (in China) configured with site-to-site VPN (third party appliance on remote site). Is it possible to route all traffic to VPN tunnel ?

Thank you,

Luca

MarcP · ‎Apr 4 2019

Security - Configure - Site to SiteVPN und tik the checkbox for "use VPN" - in the attachment I only used one vlan to be in VPN, other uses local breakout.

Should be what you want?

Anonymous · ‎Apr 4 2019

Hello MarcP,

I already have Use VPN tik.

I'd like to route all traffic (Internet traffic too) from LAN to site-to-site VPN tunnel (instead of Internet 1 port).

This is the objective.

If I set 0.0.0.0/0 in "Private subnets" instead of remote office IP class, will it work ?

So I imagine something like this:

What about ?

Thank you,

Luca

MarcP · ‎Apr 4 2019

This is what you want then.

Just get up the Site-To-Site Tunnel and then tik the box "use VPN", so all your traffic will be routet into your Tunnel.

Tunnel will be established through Internet1/Internet2 port (depends on your cableing).

Internettraffic will be in the tunnel as well, when you set it like on the screenshot. 🙂 We have got the same setup, using 0.0.0.0/0

Anonymous · ‎Apr 4 2019

Hello MarcP,

but the "Use VPN" is not enough if I don't set Private subnets to include ALL subnets (0.0.0.0/0). But will it work ? I don't like to make that change and have Meraki device disconnected from cloud console (even if I don't think it will really happen).

What about ?

Bye,

Luca

MarcP · ‎Apr 4 2019

correct, 0.0.0.0/0 (all) is necessary as well. It should work and your device will still be shown in the cloud, as it is a seperate connection (Meraki Managementconnection).

Anonymous · ‎Apr 4 2019

Hello MarcP,

good. We'll try this solution and write down feedback here (just to have a complete community post).

Thank you again,

Luca

NolanHerring · ‎Apr 4 2019

Guys, this is very simple 😃

You have to check this box

If you uncheck the box, then the SPOKE site will use 'split-tunnel' mode.

If you check the box, then the SPOKE site will use 'full-tunnel' for any of the subnets below that say YES

Nolan Herring | nolanwifi.com

Anonymous · ‎Apr 4 2019

Hello Nolan,

I don't have Meraki on remote site, but third party device; so I cannot select Spoke because no Hubs (from A site-to-site VPN spoke requires at least one hub to connect to - Note: Hub and spoke topologies are currently only supported between Meraki MXes, non-Meraki VPN peers cannot be configured as spokes).

Bye,

Luca

NolanHerring · ‎Apr 4 2019

My apologies, I thought it also applied to 3rd party tunnels.

Have a look at this:

https://community.meraki.com/t5/Security-SD-WAN/Full-Tunnel-on-a-Non-Meraki-VPN/td-p/28862

Nolan Herring | nolanwifi.com

PhilipDAth · ‎Apr 4 2019

Tick the "Default Route" box to make a spoke route all traffic to the hub.

NolanHerring · ‎Apr 4 2019

@PhilipDAth wrote:
Tick the "Default Route" box to make a spoke route all traffic to the hub.

That was my assumption too @PhilipDAth but this is a setup to a 3rd party VPN, trying to do full-tunnel across that from what I read.

Nolan Herring | nolanwifi.com

Anonymous · ‎Apr 4 2019

Hello Nolan,

interesting post. I'll look on it.

Thank you again,

Luca

Meraki

Community

Route all traffic over site-to-site VPN

Route all traffic over site-to-site VPN