Meraki

Community

Site to site VPN overlapping subnets

Jayt1
New here
yesterday
yesterday

Site to site VPN overlapping subnets

Hi

Migrating to Meraki.  I have a non Meraki firewalls.  Migrating to MX-85's for 22 remote offices. 

I currently have 1 VPN configured. I use the same subnets to each location to allow connection to home office resources.
I attempted to add another VPN & got the message that I have overlapping subnets.
I will need to have each VPN connect to the same networks. From what I read, I need to create NAT's for each subnet? That would seem to be very complex since I need over 100 for that to work. Is there another way to do this?

 

Thanks

0 Kudos
7 Replies 7
RWelch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

If possible, assign unique subnets to each remote site to simplify VPN configuration.

If you must use overlapping subnets, configure VPN subnet translation (NAT) for each site.

There is no alternative built-in method to avoid this complexity if you must connect multiple sites with overlapping subnets. The best practice is to ensure each site uses a unique subnet, but if that's not possible, VPN subnet translation is the supported solution.

Note: VPN subnet translation (NAT) is only available for Meraki Auto VPN peers and is not supported for IPsec VPN peers. To ensure successful VPN connectivity, each site must use a unique subnet. If overlapping subnets cannot be avoided, you will need to redesign your addressing scheme or use external NAT solutions outside of Meraki.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
Jayt1
New here
yesterday
yesterday

So...

Example

My core office has a data subnet of 172.16.1.0.

I need to have 22 remote sites connect to this subnet.

Each site has it's own local subnet that is not the same.

Remote site 1 is configured.

I try to configure remote site 2 & then I get the duplicate subnet because I already have the 172.16.1.0 network going to remote site 1.

Then do I need a NAT for the 172.16.1.0?

 

0 Kudos
In response to Jayt1
Mloraditch
Kind of a big deal
Kind of a big deal
yesterday
yesterday

It sounds like you are trying to connect the 22 remote offices via Third Party VPN to your headquarters that does not have Meraki. Is that correct?

If so you don't need to create separate tunnels on the Meraki side for each VPN. The Third party vpn settings are shared by all MXs (or all MXs with the appropriate network tag). On your non meraki head end you would need to make sure the encryption and key settings are the same for every remote site that has been switched to Meraki.

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal
yesterday
yesterday

@Jayt1 if your LAN subnets are all different then you should not have any problem.  Please share a screenshot of where you are seeing the message (redacted if needed).  Or do each of your remote sites all have the same subnet?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
Jayt1
New here
yesterday
yesterday

This is what I get...

"The settings you requested require confirmation. Please review the following list.

The VLAN subnet 0.0.0.0/29 overlaps with remote VPN subnets on non-Meraki peers Fortigate (0.0.0.0/24) and Fortigate Secondary (0.0.0.0/24). IP traffic will be routed to the smallest subnet that contains the IP address.
In the non-Meraki VPN peers configuration, potential overlaps might occur between the subnets on Fortigate (10.1.0.0/24, 10.1.0.0/23, 10.1.20.0/24, and 10.1.20.0/25). Please note that in this case, IP traffic will be routed to the most specific subnet.
To learn more, please refer to the Peer Availability section of the Site-to-site VPN Settings knowledge base article (accessible through the non-Meraki VPN peers tooltip)."

Yes the home office is a Fortigate. However not all remote offices will get all of the same access. I have 1 site configured on a MX450 that is in another location back to the same Fortigate.  That is working fine.  I assigned that a network tag & have tags for the other mx-85's

I have a ticket in to see what's up. 

 

In response to Jayt1
cmr
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Do you have a 0.0.0.0/29 subnet or a 0.0.0.0/24 subnet configured anywhere as that looks somewhat odd to me?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Are you using AutoVPN?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.