Site to Site VPN (Multiple Meraki IPSec Tunnel to 1 Non Meraki Peer (SOPHOS Firewall)

Solved
zulhilmizubir
Here to help

Site to Site VPN (Multiple Meraki IPSec Tunnel to 1 Non Meraki Peer (SOPHOS Firewall)

Hi,

 

I have read the Meraki documentation in setting up a VPN tunnel from Meraki to Non Meraki. If i understood it correctly, firstly this can only be done on MX that has been configured as Hubs. Secondly, I just need to key in all the necessary IPSec policies vice versa in Meraki and also in the Non Meraki Peer. Next, i would need to key in the destination IP of the Non Meraki Peer. Do correct me if i am wrong.

 

Now, i have a customer that is giving us some portion of their sites for us to manage. Currently they have 20 sites. They are giving us 8 sites (only branches), the other 12 sites will be coming to us but at a later time due to ongoing  contract with the current incumbent. 

 

So, the first 8 sites that they are giving us, i am proposing to deploy Meraki MX67C. However customer also requires IPSec tunneling from those 8 sites to their HQ, pointing back specifically to a SOPHOS XG430.

 

Based on what i have read, in order to achieve what is required, i need to :

 

1) Configure all 8 MX67c as hubs

2) Configure the same IPSec policies, destination IPs, etc for all 8 MX67c

 

Im not well verse in SOPHOS, but based on the XG 430 documentation it can support up to 3000 concurrent IPSec tunnels.

 

My question is, can this be done? all 8 MX67c configured with the same IPSec policies, destination IPs, creating the IPSec VPN tunnel to SOPHOS XG430.

 

Has anyone here have any experience deploying this kind of scenario?

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

That is the hard way.

 

Buy an additional MX67 (will support up to 50 branches with single Internet connections) and put that in headquarters in VPN concentrator mode.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

This would plug in behind the Sophos using a single cable and would be a hub.  All your branch MXs would be a spoke.  The branches will auto-build a VPN back to the VPN concentrator behind the Sophos.

 

On the Sophos, as you cut each site across, simply add a static route pointing via the Meraki VPN concentrator for each branch.

 

View solution in original post

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

That is the hard way.

 

Buy an additional MX67 (will support up to 50 branches with single Internet connections) and put that in headquarters in VPN concentrator mode.

https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide 

 

This would plug in behind the Sophos using a single cable and would be a hub.  All your branch MXs would be a spoke.  The branches will auto-build a VPN back to the VPN concentrator behind the Sophos.

 

On the Sophos, as you cut each site across, simply add a static route pointing via the Meraki VPN concentrator for each branch.

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels