VPN hairpin

jlopez_sv81
Here to help

VPN hairpin

Hello, 

Does someone know if the configuration on the diagram is possible?

I am looking connection between Azure networks (vMX) and the networks behind MX84.

 

jlopez_sv81_0-1683812639336.png

 

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

Yes, It should have to work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GreenMan
Meraki Employee
Meraki Employee

No - that won't work  (hairpinning non-Meraki and AutoVPN)
Take a look here:   https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior#AutoVPN_and_Non-Meraki_...

Why not reduce your hops / latency by building a tunnel directly from the MX84 to the VMX?   (I assume the two MX appliances are in different Orgs, hence using non-Meraki VPN to inter-connect)

alemabrahao
Kind of a big deal
Kind of a big deal

But you can configure two MX as Non-Meraki VPN Peers and the will be add on the route table. I've configured like that many times and worked as expected.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

How does the vmx learn the non meraki vpn routes  in that case?

 

Because normally non meraki vpn routes are not advertised  to the other autovpn participants

jlopez_sv81
Here to help

Hello Gleen,

That was my first option, but for some reason, the non-Meraki VPN won't connect. I have a ticket opened with Meraki.

jlopez_sv81
Here to help

This solution is not working.

 

jlopez_sv81_0-1683819292133.png

 

Can be the issue caused by vMX and MX100 (same organization) having just 1 peer configured to MX84.
 
There is no way to have VPN peers configured differently in MX in the same organization, the configuration is replicated to all of them.
GreenMan
Meraki Employee
Meraki Employee

If both tunnels use non-Meraki VPN, this could be configured to work;   but that's not what is shown in the diagram

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels