Hi All.
Wants to create an ipsec site to site tunnel with Meraki Mx on one end and Non Meraki at other. Basically i want some guidance on below points
Scenerio 1
1) Our client have purchased public lan routable ip address i.e 1.1.1.0/29 and wan ip address 2.2.2.0/30 where he wants to use public lan routable address to configure an tunnel, however on Mx Wan port will be configure with wan ip address i.e 2.2.2.2/30.
Scenerio 2
2) Can we configure site to site tunnel with an spare ip address of same pool i.e Suppose we have an Wan ip pool 3.3.3.0/29 where 3.3.3.1 will be at Mux end, and rest three ip's 3.3.3.2, 3.3.3.3, 3.3.3.4 will be use to configure an Warmspare as per below link
https://documentation.meraki.com/MX/Deployment_Guides/MX_Warm_Spare_-_High_Availability_Pair.
Can we use 3.3.3.5 and 3.3.3.6 to configure an site to site tunnel ?
Ideally, you should use the VIP IP (virtual IP), because in case of failover to the MX spare, your VPN will continue to work.
An important point with the VIP has already been mentioned. Otherwise, the VPNs are *always* terminated on the primary WANs interface IP of the MX. You can't use any IP from additional IP pools.
Hi Karsteni,
Thank you for your response. What if i use individual ip on individual mx and dont use vip. Using that my requirement would will fulfilled ?
Will work. However, the tunnel will not be available when the spare becomes active.
tunnel would not be available for which Scenerio 1 or 2 as per my first post ?. Also then what would be the use for creating an Warmspare if we not able to get the services of High availability ?
In Scenario 1 you can't have a VIP as you need at least a /29 on the link between ISP and MXes and not a /30.
Scenario 2 doesn't work at all.
You only get high availability when you set up the system in a way that can provide high availability. And in general, that starts with a /29 subnet for the MX WAN-interfaces.
So if there's an high availability then why tunnel wont work with spare MX if we not use an vip and only individual ip on each Mx. i.e
MX1 wan ip address 3.3.3.2/29
Mx2 wan ip address 3.3.3.3/29.
Wont it be a limitation for MX ?
I understood your original post that these IPs are from an additional subnet and not the interface IPs.
If these are the interface IPs it can work, but your peer has to reconfigure the tunnel to the Spare-IP in case of failover. Interface IPs are fixed to the device and don't swap as it is done with the ASA for example.