Site to site VPN between Meraki and non meraki using dual ISP

SOLVED
SAM-Al
Here to help

Site to site VPN between Meraki and non meraki using dual ISP

Hi All,,,

We have multiple sites (HUBs) where we have Meraki network campus design (HA MXs, Core MS, access MS), each MX has dual ISP(ISP1 and ISP2), there are many clients will be connected to us via non-meraki firewalls (sonicwalls, Barracuda), what is the best practice for site to site VPN to avoid the single point of failure in this case? Is DNS the solution? I mean is there any way to use one public IP for both ISPs or is the DNS the only solution here?

Any ideas ??

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

The best solution is to use a pair of MX in a warm spare configuration, and then use the VIP option.  The remote VPN end points then build their VPNs to this redundant IP address.

This only works for a single ISP.

 

There is no great solution for building across two ISPs.  If the remote party supports building a VPN to a DNS name then you could consider using a service like Amazon AWS Route 53 with DNS health checks.  This feature allows a DNS entry to be updated based on weather the circuits are up or down (more specifically respond to pings in this case).

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html

View solution in original post

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

The best solution is to use a pair of MX in a warm spare configuration, and then use the VIP option.  The remote VPN end points then build their VPNs to this redundant IP address.

This only works for a single ISP.

 

There is no great solution for building across two ISPs.  If the remote party supports building a VPN to a DNS name then you could consider using a service like Amazon AWS Route 53 with DNS health checks.  This feature allows a DNS entry to be updated based on weather the circuits are up or down (more specifically respond to pings in this case).

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html

Thanks Philip, on my side I'm planning to use warm spare MXs with Dual ISP at each,, but unfortunately I can't control the other side firewall brand.

The vIP is working for each ISP individually, correct ? I mean ISP1 will have vIP between the active MX and the standby one public  IPs, same for ISP2,, so in case the other side firewall dosen't support DNS VPN, and i ask the client to point their firewall VPN to the vIP of ISP1, my concern is that they will loose the tunnel in case ISP1 fails because the standby MX ISP1 won't kick in until both ISP1/ISP2 at the active MX fail, correct? If so, that will leave the solution of creating two tunnels one to vIP of ISP1 and one to vIP of ISP2.

PhilipDAth
Kind of a big deal
Kind of a big deal

>my concern is that they will loose the tunnel in case ISP1 fails because the standby MX ISP1 won't kick in until both ISP1/ISP2 at the active MX fail, correct

 

If ISP1 completely fails, correct, you are dead.

If MX1 fails however MX2 will take over the VIP address.

 

There is no clean way of handling the failover for non-Meraki VPNs.  Another option is to get them a little Z3 and have them pretend it is an MPLS router, and plug it like they would plug in an MPLS router in their environment.  Then you can still use AutoVPN.

That sounds good idea Philip, so you mean is to have 2 firewalls (or Z and non-meraki firewall), where the meraki firewall is facing the public interface to connect to the meraki sites over AutoVPN and act like a router to the non-meraki firewall. do you think that might cause a double NAT issue ? 

PhilipDAth
Kind of a big deal
Kind of a big deal

I meant put the "Z" at the remote site that is not using a Meraki firewall.  It will happily work through NAT behind another firewall.

 

The Z3 could be used in VPN concentrator mode, where it only uses a single interface to connect inside of their LAN.  They would just add a route on their non-Meraki firewall for your subnet(s) via the Z3.

https://documentation.meraki.com/MX/Networks_and_Routing/Passthrough_Mode_on_the_MX_Security_Applian...

Oh, got the idea Philip, thanks for help.

One of the ends that I need to VPN with is VPC at AWS (there is non-Meraki virtual Firewall sit there), what do you think is the best practice in case I can't install vMX100 concentrator mode there?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels