i ANon-Meraki VPN Peer on a Private IP Address

SOLVED
Waheed-Ali
Getting noticed

i ANon-Meraki VPN Peer on a Private IP Address

Hi all,

 

I know we can establish a VPN with a non-Meraki VPN peer i.e. One side Meraki MX and other peer/side a non-meraki VPN peer. Now as per the dashboard, we have to enter public IP of the non-Meraki VPN Peer. In my scenario, I have to establish a VPN with a non-Meraki VPN peer on Private IP address.

So, can we add a non-Meraki VPN peer with a Private IP address?

1 ACCEPTED SOLUTION
alemabrahao
Kind of a big deal
Kind of a big deal

Yes, It,s possible, however there are some configurations that you have to follow.

Follow these recommendations:

 

  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:

     

     

    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14 

Over Remote ID set your private IP and probably It will work.

 

And you have to send a ICMP packet to the tunnel establish.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

6 REPLIES 6
Brash
Kind of a big deal
Kind of a big deal

Are both devices within the same site/network?

If so, I'm not quite sure why you would want to do this as opposed to just l3 routing.

 

If not, you'll need to port forward the appropriate IPsec ports on the internet facing device to the private IP of the non Meraki peer.

 

Waheed-Ali
Getting noticed

Bro we have a P2P connection b/w two sites, established by the govt-ISP. Now we  want to setup VPN tunnel on top of that p2p connection. Its govt. project and thats how they want it.

 

I have setup a lab with an MX and a cisco router but in Meraki dashboard I am getting fips disabled error on event log

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, It,s possible, however there are some configurations that you have to follow.

Follow these recommendations:

 

  • Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:

     

     

    • Preshared secret must be greater than 14 characters 
    • Authentication cannot be MD5 
    • Diffie-Hellman Group must be 14 
    • Phase 2 encryption cannot be NULL 
    • PFS can be configured to be either off or 14 

Over Remote ID set your private IP and probably It will work.

 

And you have to send a ICMP packet to the tunnel establish.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Oh really.. I thought its not possible. Let me try with these settings. I will revert. Thanks once again.

OMG my cisco routers 2600 only supports up to group 5 and no more. Its the router I am using in LAB. Now what other options do I have to test an IPSec VPN apart from my old cisco 2600. Can I set it up with the Windows server. On one end I have MX95 and I have to test IPSec VPN IKEv2 on any other device. I was testing it on 2600. But it seems that is too old now. Any suggestions?

You can test on Linux server with strongswan.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels