Can I have 2 (or more) default routes on MX appliance to two (or more) non Meraki IPsec tunnels ?
Never used it myself. But the config accepts it. So i would say yes.
2 default routes where? Advertised from hubs over AutoVPN?
Check out this article about non-Meraki VPN failover.
https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover
Thanks, Phillip, that's really interesting but this is not exactly what I need if I am correct.
If I have 4 local subnets, I need to send all the traffic (default route) to a branch ONE with a failover IP (in case the main IPsec tunnel falls) and at the same time, those 4 subnets need to access a couple of servers on brach TWO (over 3rd IPsec tunnel).
So I would have 2 default routes to branch ONE with different priorities (for failover) and 3rd route just to access IP range on branch TWO. 3 tunnels and 3 static routes.
Only our office is with MX appliance so this would be non-Meraki VPN tunnels.
It cannot be done from what I was reading?
Thanks.
I don’t believe you are going to be able to easily manipulate the default route the way that you want. You need to be aware of this:
Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.
Which comes from this document, https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings, under non-Meraki VPN peers. You may be able to achieve something with API and scripting as per the link Philip posted, but I believe that will be the closest you can get.
Thanks Bruce,
Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.
My intention was that it will fail-over to another IPsec tunnel if the primary is down.
But I realise that this won't work anyway as before being worried about 2nd default route I can't even get some traffic over 2nd IPsec tunnel. Seems like I can have only 1 non-Meraki IPsec working...
I cannot have the next hope as a VPN tunnel interface...
Routes over non-Meraki VPNs are built through the configuration of the VPN (the remote subnets), and you can’t configure static routes to a VPN as the next hop. And you can’t have two remote subnets that are the same, which makes it difficult to have a backup and a spare IPSec tunnel (although you may be able achieve this if you can arrange your IP address scheme so you can have a /23 and a /24 that overlap - haven’t tried it myself).
So you can have multiple non-Meraki VPN peers, they just need to be to different IP subnets.