Use of a Non-Meraki VPN in a vMX100 & MX100 SD-WAN Solution

Networking1984
Conversationalist

Use of a Non-Meraki VPN in a vMX100 & MX100 SD-WAN Solution

Hi,

 

I wonder if someone could help me with a topology/design we are trying to implement for a client of ours.

 

Essentially we have a client who wants to create the following topology to provide access to a 3rd party service:

 

Windows client -> MX100 -> Meraki SD-WAN (Meraki VPN) -> vMX100 -> Azure Virtual Network Gateway -> IPSEC (Non Meraki VPN) -> 3rd Party Router -> 3rd Party Server

 

I have not been able to get the configuration to work above, however, if I also establish a Non-Meraki VPN between the MX100 and the Azure Virtual Network Gateway (effectively bypassing the Meraki SD-WAN), the client is able to connect to the 3rd Party server. The interesting thing is that the egress packets from the Windows client utilise the non-Meraki VPN, but the ingress packets utilise the SD-WAN.

 

The ideal solution would be for the Windows client to use the SD-WAN completely, and remove the need for IPSEC VPN to be created from the MX100. I’ve spoken to 3 or 4 Meraki Support engineers who have each said what we’re trying to achieve is not supported by Meraki, but the last engineer I spoke to said though Meraki do not support the topology above, there's nothing to say that one couldn't get the above to work.

 

If anyone has insight or experience of the the introduction of a non-merkai VPN in a SD-WAN solution, I would be greatly for replies!

 

Thanks,

 

Networking1984

6 Replies 6
GreenMan
Meraki Employee
Meraki Employee

This definitely won't work, in the way described;   there's no route availability between AutoVPN and non-Meraki VPN tunnels in the same MX (or vMX):   https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_...

 

Is there a particular reason why the customer wants to route the traffic through Azure?

Hi GreenMan,

 

Thanks for your reply and the web link - The customer has a set of VMs in Azure which they need to access via the SD-WAN.

PhilipDAth
Kind of a big deal
Kind of a big deal

The two best options I can think of:

1. Deploy StringSwan on Ubuntu.  Pros: Cheap, Cons: Requires more advanced skills

2. Deploy Amazon VPN server.  Pros: Lower skill needs, Cons: More expensive

 

Once you have something else doing the site to site VPN, you can add a "Local Network" to the VMX and redistribute it into AutoVPN.

Hi PhilipDAth,

 

Thanks for providing me with the option above.

 

In regard to the StrongSwan option, did you mean spinning up a Ubuntu VM in Azure, configuring StrongSwan on it and then configuring a VPN to the 3rd Party Router?

>In regard to the StrongSwan option, did you mean spinning up a Ubuntu VM in Azure, configuring StrongSwan on it and then configuring a VPN to the 3rd Party Router?

 

Correct.

>Correct

 

Thank you!

Get notified when there are additional replies to this discussion.