Setting up Site-to-Site VPNs with non-meraki peers using DHCP on WAN

Here to help

Setting up Site-to-Site VPNs with non-meraki peers using DHCP on WAN

Hi guys,


My company has a campus style network with fiber run to multiple buildings.  All internet bound traffic leaves thru an MX250 on the network edge.  We also have some small branch offices that connect via site-to-site VPN to the same MX250 for remote connectivity.  We are replacing the MX250 (which is currently the VPN hub) with a Palo Alto 3220 FW.  I intended to setup a standard IPsec tunnel between the PA and the branch office MX64's but then realized we ditched all our static IP addresses on the cable modems at the branch offices a few years ago since we could use auto-VPN at the time. 


I've read there are several ways to accomplish this using DDNS but after calling Meraki tech support I was told this wouldn't reliably work and that my only two real options were to purchase static IP's at all the branch offices again or leave the meraki in as simply a VPN concentrator (which I don't plan to do).  Has anyone attempted to do something similar?  I want to know if the tech was correct or if indeed this can be done.  FW's have had this capability for years so I don't see why this couldn't be accomplished?  Thanks in advance!!


1 Reply 1
Getting noticed

Hi @nadalfan1984,


As far as I know dynamic public IP can be used if both firewall are Meraki, since they are using the SDWAN technology feature called Auto VPN.


If ever the one of the firewall is a non-Meraki, I typically require that the non-Meraki has the static IP and supports DMVPN (Dynamic Multipoint VPN). Meraki MX can either have dynamic or static IP. Suggested also that the main branch should have a static IP and the branch can by dynamic.






Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.