cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Site to Site Meraki VPN with non Meraki Appliance

Conversationalist

Site to Site Meraki VPN with non Meraki Appliance

Hello everyone,

 

I'm 

 

I explain you, I'm working on a PoC (Proof of Concept) to configure an VPN IPSec tunnel between a Meraki MX65 in one site and Checkpoint 600 in a branch office and I'm having some lack of the knowledge in Security VPN topics.

 

Here's the thing, the Meraki MX65 has a link provided by an ISP and the IP address in the Internet 2 interface never changes (I configure it manually on that interface) and in the other hand, the the Checkpoint 600 it's behind and Internet Modem, the Phase 1 and Phase 2 of the tunnel it's ok, the NAT it's working ok and the PC's in the subnets announced in the VPN can communicate between them.

 

But, from the Meraki MX, in the VPN config, I'm pointing to the Internet Modem ip public address, this it's not the right thing to do 'cause this IP address can change anytime the ISP (Telmex) wants, even without notifying me obviously because that's not an dedicated link to the branch,

 

Reading some Meraki MX documentation, I realized that the MX's uses their hostname to make an easy automatic VPN between appliances with "non-provisioning or config required".

 

my question is, is there a way to point i create a tunnel using a DDNS or a hostname to point to the Checkpoint 600 instead of using and IP address?

 

Or how can I can solve this, it'd be neccesary another MX appliance?

 

I share with all of you and network diagram of the PoC:

Meraki MX.png

 

If you can help me, I'll really appreciate your help.

 

Regards

3 REPLIES 3
Kind of a big deal

Re: Site to Site Meraki VPN with non Meraki Appliance

If the remote end has a dynamic IP address then you won't get it to work. Both ends need a static IP address.
Kind of a big deal

Re: Site to Site Meraki VPN with non Meraki Appliance

Replace the checkpoint with an MX of you want it to work.
Ben
A model citizen

Re: Site to Site Meraki VPN with non Meraki Appliance

Both end needs a static ip as @PhilipDAth said or buy another MX device. 

If the remote branch is not that big perhaps consider buying a Z3 if the budget does not allow an MX?

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.