VPN between MX in China & MX outside China

AY2022
Here to help

VPN between MX in China & MX outside China

Looking for more info on setting up the above. 

I have 1 main MX serving multiple smaller MX'es in china. All on China Portal. 

 

Now I'm trying to establish a VPN between the main MX and a  VMX e.g. Azure in Australia.

I believe Auto VPN is out the question, since its not on the same portal. 

 

Hence, correct me if wrong but the only way to setup is by using the Non-Meraki VPN peers option. Is that right?  

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

If they're in different organizations, yes, but particularly I've never tried to establish a Non-Meraki VPN between two MXes, I don't know if that would work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
RomanMD
Building a reputation

Because the MXes in China and the one in Azure are in different organizations, you are totally right - Non-Meraki VPN would be the solution. This is working fine, it is just some considerations that you need to have in mind.

1. The non-meraki VPN will use standard VPN ports 500 and 4500. Those might be blocked by Chinese provider or Great Firewall.

2. Using AutoVPN should bypass the Great Firewall, because of the high ports which are usually not blocked.

3. Any of those solutions might break the law. 

Thanks for the sharing. 

 

About point 3, wouldn't the solution (non-meraki VPN) be 'within the law' as long as the data are used only for internal data exchange and office use. 

 

https://documentation.meraki.com/General_Administration/Support/Information_for_Users_in_China 

akayret
Conversationalist

Hi,

I wonder how did you end up connecting them? Did non-meraki VPN work? Thanks

alemabrahao
Kind of a big deal
Kind of a big deal

When setting up Non-Meraki VPN connections between two MXs in different organizations, make sure to populate the Remote ID field of the Non-Meraki VPN peer with the private IP address of the remote MX if all of the following conditions are met:

 

The MXs are running firmware version MX 15 or higher.

They do not use a User FQDN.

They are connected behind an upstream NAT device.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Anything that uses locally provided Internet will face interruptions.
You will need to consider Non Internet as medium to establish the connection between China & Global. 

https://documentation.meraki.com/General_Administration/Support/Information_for_Users_in_China#ntegr... 

Get notified when there are additional replies to this discussion.