Meraki

anjisan · ‎Sep 19 2024

In my setup I have a S2S AutoVPN between MXs.

The VPN tunnel is using Split-tunnel, but I want to force (static route) certain internet IPs or internet subnets to be announced from the main hub so the branch MX will send traffic to the main hub and break out to the internet there.

I try to add a static route on the main hub and enable it for VPN, in the 'next hop' I add my MXs Gateway (ISP gateway)

But I get the error '...invalid next hop IP. The IP address x.x.x.x is not on a configured subnet.

What am I doing wrong and what should I do ito make this work?

GIdenJoe · ‎Sep 19 2024

If the hub is routing for those remote public hosts via some other device that does the NAT towards there then you could share these routes over the AutoVPN.

Alternatively if you have the SD-WAN plus licensing you can have full tunnel to the hub and then locally breakout most internet applications.

View solution in original post

ww · ‎Sep 19 2024

That doesnt work,

I do know its possible with a one armed concentrator-hub design

GIdenJoe · ‎Sep 19 2024

If the hub is routing for those remote public hosts via some other device that does the NAT towards there then you could share these routes over the AutoVPN.

Alternatively if you have the SD-WAN plus licensing you can have full tunnel to the hub and then locally breakout most internet applications.

PhilipDAth · ‎Sep 20 2024

This above. You need an SD-WAN licence, use full tunnel, and then specify excepts to get routed out the local Internet gateway.

Meraki

Community

S2S split-tunnel exception

S2S split-tunnel exception