Routing internet bound traffic over a Non-Meraki VPN tunnel

ksridhar
Here to help

Routing internet bound traffic over a Non-Meraki VPN tunnel

Hi,

 

When configuring Non-Meraki VPN peers it is mandated to provide the private subnets which are essentially the subnets behind the third party VPN device. There is this option to provide a default route too using 0.0.0.0/0. However when this is configured, I see this message - 

 

"The local subnet x.x.x.x/x overlaps with a remote VPN subnet on the non-Meraki peer <peer name> (0.0.0.0/0). IP traffic will be routed to the smallest subnet that contains the IP address." 

 

As I understand this, the smallest prefix will always be used over the default route when traffic is designated to an IP address in the "local subnet". All other traffic will still be routed via this VPN tunnel including any internet bound traffic. Is my understanding correct? 

 

Also, if the tunnel goes down, does it mean that all other MX devices other than the Z series devices will automatically fail over to the underlay connection or the direct WAN connectivity? 

 

Thanks,

Krishna

5 Replies 5
ww
Kind of a big deal
Kind of a big deal

Hi,

 

Thanks for the update. I was trying to setup a Non-Meraki VPN peer using a default route but I'm unable to ping any internet address using the Live tool. I have a default firewall rule -

 

# Policy Protocol Source Src port Destination Dst port Comment Logging Actions
  Allow Any Any Any Any Any Default rule
 
Is there anything else I'm missing from the configuration?
 
This is the route table info - 
 
Subnet/Prefix
Name Version Type Next hop
192.168.128.0/24single lan settings4Local LAN -
0.0.0.0/0Peer14IPSec Peer<Public IP of Peer>
0.0.0.0/0Default4Default WAN RouteWAN Uplink

 

When an IPSec peer is created with default route, it seems that the route table is updated as shown above. VPN is enabled for the main subnet and the MX appliance is configured in routed mode. Is there something I'm missing with the configuration? 

 

Thanks!

ww
Kind of a big deal
Kind of a big deal

Does the peer have a route  back to 192.168.128.0/24?

Yes it does. I will double check this. 

 

What I wanted to know is if the route table entries are correct where both the underlay (WAN) and the VPN peer have a default route set. I was wondering which path is taken in that case. 

ksridhar
Here to help

Hi,

 

I was able to ping a public IP like 8.8.8.8 and now I see that the route table shows all links as good including the IPSec peer. But what I'm unable to understand is how does the appliance know which link to pick to route the ICMP traffic designated to 8.8.8.8 - would that be the WAN uplink or the VPN link. Both those links have a default subnet 0.0.0.0/0 configured and both have the link status to be good. 

 

Any help here is very much appreciated! 

 

Thanks.

Get notified when there are additional replies to this discussion.