Site to Site VPN from MX - how to exclude traffic from the tunnel


Site to Site VPN from MX - how to exclude traffic from the tunnel

Hi all, I have a remote site from which all the traffic should be routed to the L2L tunnel except 2 IPs located somewhere in the Internet, lets call them x.x.x.x/32 and y.y.y.y/32 (these 2 are the IPs of SSLVPN gateways and I see no point in pushing the traffic to L2L tunnel just to establish SSLVPN tunnel).

I haven't found any straight forward solution to configure it. Under the configuration of VPN where I have Non-Meraki peer I can put, under Private subnets, only these subnets that are supposed to go through the tunnel. I would be great if there was a possibility to put minus x.x.x.x/32 and y.y.y.y/32. I've tried to achieve that with static routing (Private subnets was and x.x.x.x/32 and y.y.y.y/32 were routed to the Internet address) but no luck. 

Does anybody configured such thing? I imagine that it is not anything uncommon particularly with remote offices.


A model citizen

You want to split tunnel those two addresses to egress out the WAN connection and not follow default route through the tunnel.


Open a ticket with support. There is a closed beta option for this.

Does it also work the other way ? 


Running a split tunnel , x.x.x.x/32 is a destination on the Internet but I want it to be routed through the VPN tunnel.

Kind of a big deal
Kind of a big deal

To route a specific IP through AutoVPN you need to add a static route at the hub and include that into AutoVPN.  However to add a static route at the hub you have to add it via another device (so basically the hub MX would need to be in VPN concentrator mode, or you would have to have another device at the hub location providing Internet access).


I don't use AutoVPN as MX is connecting to non-meraki peer. I also can't configure static route for the subnet because dashboard throws me an error:


There were errors in saving this configuration:

  • The static LAN route "Bypass_VPN" has an invalid next hop IP. The IP address <an address of my ISP> is not on a configured subnet.


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.