Meraki Community

V_007 · ‎Feb 6 2024

Hi All.

Wants to create an ipsec site to site tunnel with Meraki Mx on one end and Non Meraki at other. Basically i want some guidance on below points

Scenerio 1

1) Our client have purchased public lan routable ip address i.e 1.1.1.0/29 and wan ip address 2.2.2.0/30 where he wants to use public lan routable address to configure an tunnel, however on Mx Wan port will be configure with wan ip address i.e 2.2.2.2/30.

Scenerio 2

2) Can we configure site to site tunnel with an spare ip address of same pool i.e Suppose we have an Wan ip pool 3.3.3.0/29 where 3.3.3.1 will be at Mux end, and rest three ip's 3.3.3.2, 3.3.3.3, 3.3.3.4 will be use to configure an Warmspare as per below link

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair.

Can we use 3.3.3.5 and 3.3.3.6 to configure an site to site tunnel ?

alemabrahao · ‎Feb 6 2024

Ideally, you should use the VIP IP (virtual IP), because in case of failover to the MX spare, your VPN will continue to work.

https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair#Virtual...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

KarstenI · ‎Feb 6 2024

An important point with the VIP has already been mentioned. Otherwise, the VPNs are *always* terminated on the primary WANs interface IP of the MX. You can't use any IP from additional IP pools.

V_007 · ‎Feb 6 2024

Hi Karsteni,

Thank you for your response. What if i use individual ip on individual mx and dont use vip. Using that my requirement would will fulfilled ?

KarstenI · ‎Feb 7 2024

Will work. However, the tunnel will not be available when the spare becomes active.

V_007 · ‎Feb 7 2024

tunnel would not be available for which Scenerio 1 or 2 as per my first post ?. Also then what would be the use for creating an Warmspare if we not able to get the services of High availability ?

KarstenI · ‎Feb 7 2024

In Scenario 1 you can't have a VIP as you need at least a /29 on the link between ISP and MXes and not a /30.

Scenario 2 doesn't work at all.

You only get high availability when you set up the system in a way that can provide high availability. And in general, that starts with a /29 subnet for the MX WAN-interfaces.

V_007 · ‎Feb 7 2024

So if there's an high availability then why tunnel wont work with spare MX if we not use an vip and only individual ip on each Mx. i.e

MX1 wan ip address 3.3.3.2/29

Mx2 wan ip address 3.3.3.3/29.

Wont it be a limitation for MX ?

KarstenI · ‎Feb 7 2024

I understood your original post that these IPs are from an additional subnet and not the interface IPs.

If these are the interface IPs it can work, but your peer has to reconfigure the tunnel to the Spare-IP in case of failover. Interface IPs are fixed to the device and don't swap as it is done with the ASA for example.