Site-to-Site VPN over MPLS

SOLVED
amirmin
Here to help

Site-to-Site VPN over MPLS

Hi

 

Currently I have this setup. Both Hub and Spoke running in routed mode with NAT enabled.

 

Hub (MX68)

WAN 1 > MPLS (Private network)

WAN 2 > direct internet connection via MG21

 

Spoke (MX68)

WAN 1 > MPLS (Private network)

WAN 2 > direct internet connection via MG21

 

I have put a Router in between the Hub and Spoke to simulate for the MPLS (private network) as below.

Spoke (WAN1 interface) - Router - Hub (WAN 1 interface)

 

I can see the Auto-VPN tunnel is created but it is only via MG21 (WAN 2 interface). How do I establish an autoVPN tunnel over the MPLS (private network) ? Does it require a route leak in the MPLS network ?

1 ACCEPTED SOLUTION
Bruce
Kind of a big deal

As @cmr stated, you need an internet connection from your MPLS network - either directly from the network, or by using the MX in VPN concentrator mode at the head-end. Each WAN interface on an MX needs to be able to directly contact the Meraki VPN registry to 'share' its IP addresses and port number; WAN1 won't ever provide WAN2's details to the registry, each has to have its own connection.

 

A document on how AutoVPN works with the VPN registry can be found here if you want to understand it a bit further, https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

View solution in original post

3 REPLIES 3
cmr
Kind of a big deal
Kind of a big deal

@amirmin in your topology the MPLS needs to have internet access within it, either from the provider, or from a separate connection at one of your sites that then goes off to the internet.

 

We have the datacenter MXs in VPN concentrator mode with the MPLS terminated on a L3 switch in front of them.  The default route on that switch goes out through some different firewalls to the internet.  All MPLS connected sites get to the cloud that way and therefore form local tunnels using the private IP addresses.

Bruce
Kind of a big deal

As @cmr stated, you need an internet connection from your MPLS network - either directly from the network, or by using the MX in VPN concentrator mode at the head-end. Each WAN interface on an MX needs to be able to directly contact the Meraki VPN registry to 'share' its IP addresses and port number; WAN1 won't ever provide WAN2's details to the registry, each has to have its own connection.

 

A document on how AutoVPN works with the VPN registry can be found here if you want to understand it a bit further, https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshoo...

Hi @Bruce @cmr , thanks for the explanation. It means each WAN interface must be able to reach the internet (doesn't matter how) but as long as it can reach the internet on their own then it should be fine.

Thank you !

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels