Hi,
When configuring Non-Meraki VPN peers it is mandated to provide the private subnets which are essentially the subnets behind the third party VPN device. There is this option to provide a default route too using 0.0.0.0/0. However when this is configured, I see this message -
"The local subnet x.x.x.x/x overlaps with a remote VPN subnet on the non-Meraki peer <peer name> (0.0.0.0/0). IP traffic will be routed to the smallest subnet that contains the IP address."
As I understand this, the smallest prefix will always be used over the default route when traffic is designated to an IP address in the "local subnet". All other traffic will still be routed via this VPN tunnel including any internet bound traffic. Is my understanding correct?
Also, if the tunnel goes down, does it mean that all other MX devices other than the Z series devices will automatically fail over to the underlay connection or the direct WAN connectivity?
Thanks,
Krishna
Yes more specific routes are preferred.
https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#Overlapping_Routes
No that traffic for the default route will not failover to the underlay
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_peers
Hi,
Thanks for the update. I was trying to setup a Non-Meraki VPN peer using a default route but I'm unable to ping any internet address using the Live tool. I have a default firewall rule -
Subnet/Prefix | Name | Version | Type | Next hop |
192.168.128.0/24 | single lan settings | 4 | Local LAN | - |
0.0.0.0/0 | Peer1 | 4 | IPSec Peer | <Public IP of Peer> |
0.0.0.0/0 | Default | 4 | Default WAN Route | WAN Uplink |
When an IPSec peer is created with default route, it seems that the route table is updated as shown above. VPN is enabled for the main subnet and the MX appliance is configured in routed mode. Is there something I'm missing with the configuration?
Thanks!
Does the peer have a route back to 192.168.128.0/24?
Yes it does. I will double check this.
What I wanted to know is if the route table entries are correct where both the underlay (WAN) and the VPN peer have a default route set. I was wondering which path is taken in that case.
Hi,
I was able to ping a public IP like 8.8.8.8 and now I see that the route table shows all links as good including the IPSec peer. But what I'm unable to understand is how does the appliance know which link to pick to route the ICMP traffic designated to 8.8.8.8 - would that be the WAN uplink or the VPN link. Both those links have a default subnet 0.0.0.0/0 configured and both have the link status to be good.
Any help here is very much appreciated!
Thanks.