Meraki

Community

Third Party VPN - Hub-Spoke Auto VPN Availability

Solved
NJNetworkGuy100
Getting noticed
‎Nov 15 2022 1:57 PM
‎Nov 15 2022 1:57 PM

Third Party VPN - Hub-Spoke Auto VPN Availability

Question about third party VPN remote subnet availability....

 

My org is a hub-spoke setup....the data center is the hub for the Auto-VPN setup, and all the branch offices are the spokes.  We do split tunnel on the Auto VPN, so only those advertised subnets on the Auto VPN go over the S2S VPN, and clients use the local internet connection for everything else.

 

We are setting up a third party IPSec VPN to an offsite network that is hosting some servers.  We are going to peer the Hub MX in the data center to this IPSec tunnel.  The clients in the various Spoke networks will need access to the servers being hosted on the remote side of this IPSec tunnel.

 

Question...how do we advertise the remote network's subnet to the Spoke networks over the Auto VPN, so that clients in the Spoke networks can connect to the servers in the remote network on the other side of the IPSec VPN tunnel?  Is that possible with only the Hub MX peering this connection?  

Labels:
0 Kudos
1 Accepted Solution
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 15 2022 2:06 PM
‎Nov 15 2022 2:06 PM

It is not possible, for that you need to configure the S2S VPN with another device on your network (eg Linux with Strongswan) and then create a static route to advertise within the SD-WAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 15 2022 2:06 PM
‎Nov 15 2022 2:06 PM

It is not possible, for that you need to configure the S2S VPN with another device on your network (eg Linux with Strongswan) and then create a static route to advertise within the SD-WAN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
NJNetworkGuy100
Getting noticed
‎Nov 15 2022 2:23 PM
‎Nov 15 2022 2:23 PM

So, basically, another device like an ASA has to be doing the IPSec tunnel, and then a static route on the Hub MX would be then be advertised in the Auto VPN?  Could it be another MX in VPN Concentrator mode?  

In response to NJNetworkGuy100
alemabrahao
Kind of a big deal
Kind of a big deal
‎Nov 15 2022 2:52 PM
‎Nov 15 2022 2:52 PM

You can advertise a route on Auto VPN without problems, as for using another MX I believe it is possible as long as you point a static route to the LAN IP of that MX, but for that, both have to have a direct link.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
NJNetworkGuy100
Getting noticed
‎Nov 16 2022 11:50 AM
‎Nov 16 2022 11:50 AM

Meraki Support told me the same thing...impossible to do that kind of routing with a simple Hub-Spoke setup.  

 

Yeah, I have a few solutions brewing. The remote MX in the offsite network (if they would even allow that), setup a limited number of Spoke networks as Peers to the same IPSec tunnel, or setup the tunnel on another router or MX on the same LAN subnet as the Hub MX and use static routes to advertise it.  

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 15 2022 5:51 PM
‎Nov 15 2022 5:51 PM

@alemabrahao is right on the money.

 

The other option is to put an MX in the offsite network.  This would be the easiest solution.

 

If it is a public cloud (like Amazon AWS or Azure) you could use a vMX instead.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.