Hi, regarding the above, so if we build VPN tunnels over the private addresses via the private WAN IP's, are you saying if the MX can no longer see the internet, it will bring down these VPN tunnels ?

You can use a link with a private IP address as long as you know the ISP's public IP address, because in the peering process you need to use the ISP's public IP address. In short, I assume you're saying the ISP provides you with CGNAT, correct?

Yes, if the MX loses internet connection, the tunnels will go down, since the MX will lose communication with the Meraki cloud.

I apologize if I'm misunderstanding what you're trying to do. If possible, please draw a simple topology for better understanding.

Hi

Basically all the firewalls would sit on a private network a /24 with private WAN addresses, not carrier, the only way they will reach the internet would be via the private WAN ip, it would have a route to a central firewall, not Meraki. so all these firewalls would sit behind one NAT IP from the main firewall.

So, would they still create VPNs with each other over these addresses?

If the main internet link went down, would these "internal" VPN's go down ?

Unfortunately, this will not work.

Hi 

what is the reason it won’t work ?

These tunnels themselves don't require public IPs; they require bidirectional connectivity for IKE/IPsec (UDP 500/4500, ESP) between the MX and the peer.

However, if I understand correctly, you're going to use the link from your main website for all the MXs. In my understanding, due to Meraki's limitations, this scenario won't work.

What I suggest is that you try to simulate this, but I'm almost 100% certain that this scenario won't work.

If you add an MX within the same network and try to connect via Client VPN, this already doesn't work and proves enough to understand that it won't work with an IPsec VPN.