S2S 3rd party VPN from hubs as failover

Solved
FinnurT
Conversationalist

S2S 3rd party VPN from hubs as failover

Hello,

 

I was wondering, if I would create a tunnel from spoke site to a 3rd party that is advertising 2x any casted IP addresses over a tunnel.

 

However to make some sort of redundancy I would need to create a second VPN tunnel from same site to a different device of the 3rd party to get the same 2x IP addresses advertised over there, and then use a script that tracks the tunnels and swaps over.

 

This would mean I have to maintain the scripts and update and possibly monitor the outputs from the scripts.

 

I was thinking as a possible solution to create a tunnel from the regional hub site (one armed VPN concentrator) to the 3rd party and receive there a /30 advertisement for these same 2 IP's so I would have 2x routes to the IP's 2x /32s and 1x /30.

My question is, if the spoke site tunnel goes down, will the site MX see the /30 route and route it to the hub and through there without any intervention, same for when tunnel comes back up will it move it back as now there is more specific ?

 

Could I have 2x tunnels to the 3rd party provider from the spoke site and receive both IP over the tunnel and when one tunnel goes down, update the routing table to use the other tunnel ?

 

I am a little bit confused how the routing table in regards to VPN functions on the Meraki devices.

 

Maybe as a bottom line, any other scenarios or ways to have redundancy for a service that is behind a 3rd party tunnel other than tag based IPsec VPN Failover ?

https://developer.cisco.com/meraki/explore/tag-based-ipsec-vpn-failover/

1 Accepted Solution
jdsilva
Kind of a big deal


@FinnurT wrote:


My question is, if the spoke site tunnel goes down, will the site MX see the /30 route and route it to the hub and through there without any intervention, same for when tunnel comes back up will it move it back as now there is more specific ?


Hey @FinnurT. If I understand your question correctly the answer is No, this will not work. And the reason is that Non-Meraki VPN routes are not propagated to AutoVPN peers, therefore you spoke with never get the route to the destination over the Non-Meraki VPN from the hub. 

 

Aaron Willette with Meraki has a good blog post on this topic here: https://www.willette.works/merging-meraki-vpns/

 

Or did I not understand the question correctly?

View solution in original post

5 Replies 5
jdsilva
Kind of a big deal


@FinnurT wrote:


My question is, if the spoke site tunnel goes down, will the site MX see the /30 route and route it to the hub and through there without any intervention, same for when tunnel comes back up will it move it back as now there is more specific ?


Hey @FinnurT. If I understand your question correctly the answer is No, this will not work. And the reason is that Non-Meraki VPN routes are not propagated to AutoVPN peers, therefore you spoke with never get the route to the destination over the Non-Meraki VPN from the hub. 

 

Aaron Willette with Meraki has a good blog post on this topic here: https://www.willette.works/merging-meraki-vpns/

 

Or did I not understand the question correctly?

PhilipDAth
Kind of a big deal
Kind of a big deal

There is an additional problem.

 

Non-meraki site to site VPNs are created with the source encryption domain being equal to the "include in VPN" settings for VLANs local to the device.  You can not include remote subnets.

FinnurT
Conversationalist

Thanks guys, yeah that answers that question.

 

Would I be able to do it with 2x tunnels from spoke site one with /30 and other 2x /32 ?

 

If not then I will need to find some other way to solve this.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Would I be able to do it with 2x tunnels from spoke site one with /30 and other 2x /32 ?

 

No for the same reason I gave before - only traffic originating locally to the MX and use the non-Meraki VPN.  Traffic from other sites can not use it.

FinnurT
Conversationalist

I mean, with 2x tunnels on the spoke sites I should not have to advertise these into the Auto VPN, all off the spokes would have their 2 tunnels to the service.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels