Tunnel conection - Resources other network

athan1234
A model citizen

Tunnel conection - Resources other network

Hi

 

I have established a VPN tunnel to enable the establishment of a connection between these centers. They are in different organizations. People in the organization must have access to resources (DNS server, etc.) on CPD. I think the only way is to migrate the center to my organization. Am I righth ?

 

 

8 Replies 8
MarcP
Kind of a big deal

You have two Orgs connected with VPN to each other and want to use resources like DNS from Org A in org B, correct?

 

 

If you used Site-toSite-VPN you configure the remote site subnets and there has to be the subnets which are necessary. Afterwards the DNS server is reachable from the remote site. Keep in mind you may have to allow this communication in a third party firewall if you have one.

athan1234
A model citizen

Hi @MarcP I spoke yesterday to the IT responsible of other organization if we can to add VPN tunnel the networks for reach CPD dns server for example

 

He reply this:

 

You can only Tunnel to the subnets in each individual site with Meraki 3rd party site to site. You cannot route traffic from other networks through a single network's tunnel in a 3rd party VPN. It's a limitation with Meraki.

 

The only way around making a ton of different tunnels to cover this would be to move the networks into the same organization.
like 1

 

This is the escenario

 

The org A knows the cpd

 

ORG A

 

 

athan1234_3-1649765960507.png

 

 

athan1234_0-1649765615373.png

athan1234_2-1649765787449.png

 

 

 

ORG B

 

Needs to reach  the network 10.0.0.0/8 

athan1234_5-1649766204355.png

 

 

athan1234_1-1649765708804.png

 

athan1234_4-1649766031240.png

 

 

 

MarcP
Kind of a big deal

I do not understand this:
"You cannot route traffic from other networks through a single network's tunnel in a 3rd party VPN"

 

If you have Org A and Org B and all or all necessary subnets in this VPN-Tunnel, the systems build all IPSec-SA´s on their own. 

no one needs to set up seperated IPSec Tunnels for each remote network. Which I think is not possible to do several Tunnels between the same public IPs

athan1234
A model citizen

Hello, @Mark
Do you believe adding the ip 10.0.0.0/8 ORG B   will is enough to reach  the network 10.0.0.0/8?

athan1234
A model citizen

Do you believe adding the ip 10.0.0.0/8 ORG B will is enough to reach the network 10.0.0.0/8?

ww
Kind of a big deal
Kind of a big deal

3rd party vpn setup tunnels  from all networks to that 3rd party vpn destination.(unless you use tags)

 

There are other options ,like adding a seperate VPNdevice to build a tunnel and inject that routes using static route advertisements. I would recommend you to read this https://www.willette.works/merging-meraki-vpns/

athan1234
A model citizen

 

hi @ww 

I need to integrate a network within my organization.

 

I received this from Meraki Support, but I'm not sure what to do with it.

 

 

Please see this KB detailing organization splits: https://documentation.meraki.com/General_Administration/Organizations_and_Networks/Organization_Spli...

Before we get started, please review and acknowledge the following items:

  1. Our internal tool can split out existing Dashboard Networks into new Dashboard Organizations (DOs). The tool cannot place devices and licensing from one DO into another existing DO. This is a security policy -- we cannot copy information into existing organizations.
  2. The Users List is not copied into the new Organization (This is used for Client VPN and SSID authorization).
  3. Each new organization will have its own expiration date for licenses. Unless the licenses are evenly split out, these dates will likely vary.
  4. The process is not reversible.
  5. The following cannot be split:
    • Systems Manager networks
    • Config templates cannot be split
    • Config template children cannot be split
    • Wireless networks that have used billing at any point (and thus have Configure > Billing payout) are tied to the org, and cannot be split??
  6. (If using an MX for Auto VPN to another MX in the current DO) Please note that Auto VPN is currently only for Meraki security devices in the same DO. Security appliances that were once connected via Auto VPN must be connected as third-party peers after the split (See: Configuring Site-to-Site VPN).
  7. You may receive multiple emails in regards to license problems while Cisco Meraki Support is moving license keys.
  8. There may be some new DOs that need additional licenses because of expired license keys."
  9. Historical data usage is not transferred (including event, and changelog entries)
  10. Any pending action batches will not be copied to the new organization and pending action batches involving networks split into the new organization will likely fail.

 

ww
Kind of a big deal
Kind of a big deal

 

Org split is only for moving some networks from a existing org to a brand new org.

 

If you want to move a network between existing org you need to move/config it manually  or use the api

Get notified when there are additional replies to this discussion.