Meraki

Waheed-Ali · ‎Jan 29 2023

Hi all,

I know we can establish a VPN with a non-Meraki VPN peer i.e. One side Meraki MX and other peer/side a non-meraki VPN peer. Now as per the dashboard, we have to enter public IP of the non-Meraki VPN Peer. In my scenario, I have to establish a VPN with a non-Meraki VPN peer on Private IP address.

So, can we add a non-Meraki VPN peer with a Private IP address?

alemabrahao · ‎Jan 29 2023

Yes, It,s possible, however there are some configurations that you have to follow.

Follow these recommendations:

Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:
- Preshared secret must be greater than 14 characters
- Authentication cannot be MD5
- Diffie-Hellman Group must be 14
- Phase 2 encryption cannot be NULL
- PFS can be configured to be either off or 14

Over Remote ID set your private IP and probably It will work.

And you have to send a ICMP packet to the tunnel establish.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

Brash · ‎Jan 29 2023

Are both devices within the same site/network?

If so, I'm not quite sure why you would want to do this as opposed to just l3 routing.

If not, you'll need to port forward the appropriate IPsec ports on the internet facing device to the private IP of the non Meraki peer.

Waheed-Ali · ‎Jan 29 2023

Bro we have a P2P connection b/w two sites, established by the govt-ISP. Now we want to setup VPN tunnel on top of that p2p connection. Its govt. project and thats how they want it.

I have setup a lab with an MX and a cisco router but in Meraki dashboard I am getting fips disabled error on event log

alemabrahao · ‎Jan 29 2023

Yes, It,s possible, however there are some configurations that you have to follow.

Follow these recommendations:

Security & SD-WAN -> Configure: Site-to-site VPN -> Non Meraki VPN settings:
- Preshared secret must be greater than 14 characters
- Authentication cannot be MD5
- Diffie-Hellman Group must be 14
- Phase 2 encryption cannot be NULL
- PFS can be configured to be either off or 14

Over Remote ID set your private IP and probably It will work.

And you have to send a ICMP packet to the tunnel establish.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Waheed-Ali · ‎Jan 29 2023

Oh really.. I thought its not possible. Let me try with these settings. I will revert. Thanks once again.

Waheed-Ali · ‎Jan 29 2023

OMG my cisco routers 2600 only supports up to group 5 and no more. Its the router I am using in LAB. Now what other options do I have to test an IPSec VPN apart from my old cisco 2600. Can I set it up with the Windows server. On one end I have MX95 and I have to test IPSec VPN IKEv2 on any other device. I was testing it on 2600. But it seems that is too old now. Any suggestions?

alemabrahao · ‎Jan 29 2023

You can test on Linux server with strongswan.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Meraki

Community

i ANon-Meraki VPN Peer on a Private IP Address

i ANon-Meraki VPN Peer on a Private IP Address