Meraki

Community

True meaning of VPN Participants settings?

Kamome
Building a reputation
‎Dec 9 2019 12:46 AM
‎Dec 9 2019 12:46 AM

True meaning of VPN Participants settings?

I have an organization with routed hub and full-tunnel configuration.

Kamome_0-1575880100104.png

This one works well until one of network have to use split network. So, I unchecked Default route option in Site-to-Site VPN configuration. But it still works as full-tunnel VPN.

 

  • Site1 : Default Route -> Hub
    Kamome_1-1575880186983.png
  • Site2 : Default Route -> WAN Uplink
    Kamome_2-1575880186985.png
  • Center MX : Default(0.0.0.0/0), Internal Summary -> Center L3 (In VPN Yes)
    Kamome_3-1575880186986.png

     

 

Kamome_4-1575880187005.png

 

I can understand why this is happening. Every site that participates in VPN network always gets default route from Center MX, and it overwrites site's default WAN route despite of Default route is unchecked because AutoVPN route's priority is higher.

 

But problem starts here.

Based on my prior knowledge, I excluded 0.0.0.0/0 from Center MX to not to advertise it via AutoVPN, so it won't take over default route when site's Default route setting is disabled.

 

  • Site1 : Default Route -> Hub
    Kamome_5-1575880419658.png
  • Site2 : Default Route -> WAN Uplink
    Kamome_6-1575880419660.png
  • Center MX : Default(0.0.0.0/0), Internal Summary -> Center L3 (In VPN No)
    Kamome_7-1575880419661.png

As soon as I saved this configuration, Site1(Default route is checked) cannot use Internet. Only able to use advertised summary network. Site2(Default route is unchecked) is okay.

 

So, I've captured packet from Center MX, and traffic from Site1 is coming from Site-to-Site VPN interface, but reply traffic is going towards LAN interface.

aa.png

Therefore, it seems that "VPN Participants" option in Site-to-Site VPN decides not only "selects which network/route will be advertised via VPN" also "decides which traffic is VPN traffic".  Why this is happening?

0 Kudos
4 Replies 4
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Dec 9 2019 2:29 AM
‎Dec 9 2019 2:29 AM

Does site1 and site2 actually connect to the Internet or is that some other kind of cloud?

0 Kudos
In response to PhilipDAth
ww
Kind of a big deal
Kind of a big deal
‎Dec 9 2019 6:23 AM
‎Dec 9 2019 6:23 AM

 Why you  need the default route to your lan (on the center MX)? and not only specific routes that are behind your (central) lan.   (assuming you center MX wan connects to the internet ,  or does your center gateway provides internet?)   

0 Kudos
In response to ww
Kamome
Building a reputation
‎Dec 9 2019 4:26 PM
‎Dec 9 2019 4:26 PM

@ww It's because of customer's information security policy. They want to observe every traffic -including site's Internet traffic- and must goes through center gateway in order to pass IPS, WAF and other do-dads.

0 Kudos
In response to PhilipDAth
Kamome
Building a reputation
‎Dec 9 2019 4:21 PM
‎Dec 9 2019 4:21 PM

@PhilipDAth  Site1 and 2 are MX65 appliance and connected local ISP's Internet.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.