Meraki

BrentB · ‎Feb 20 2025

OK .. odd routing question .. I have a location that has an established non-Meraki VPN peer. Just an FYI the peer on the other end is Meraki but it is in a different organization. One of the address spaces in this peer is say 192.168.56.0/24. I have a Z3 that we setup with a space of 10.148.109.0/24 in the Lab. We are trying to get from the Z3 devices across the non-meraki VPN peer to a device in the 56.0/24 space. At the moment this is not working. I think we just need a route on the other side of the peer pointing towards us or does this actually need to be defined as part of the peer? First time I have had anyone ask for access like this. Usually it has just been local over the peers. Thoughts ..

Brent

sinelnyyk · ‎Feb 20 2025

Hi @BrentB,

Is my understanding correct that your topology is the following: Z3 <-AutoVPN-> MX_A <-Non-Meraki VPN-> MX_B in other org; and you are trying to route traffic between Z3 and MX_B through MX_A?
If so, unfortunately, this won't be possible.

The KB says (in a blue note): "An MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers will not route traffic between other Auto VPN peers and the non-Meraki VPN peers unless BGP routing over IPsec VPN is enabled for the latter."

With this said, you can try to configure this new route-based tunnel with BGP over IPsec, and then in theory routes within the same org should be advertised via iBGP, and from the outside - via eBGP, but honestly, I never worked with this feature so not 100% sure it'll work, but if it does, it fur sure will be a good solution.

If that doesn't work though, I'm afraid the only way to communicate from Z3 to MX_B is a direct non-Meraki VPN tunnel between them.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

View solution in original post

ww · ‎Feb 20 2025

third-party VPN does not participate in the auto VPN. So you would need a direct 3rd party vpn tunnel between the z3 and the peer

sinelnyyk · ‎Feb 20 2025

Hi @BrentB,

Is my understanding correct that your topology is the following: Z3 <-AutoVPN-> MX_A <-Non-Meraki VPN-> MX_B in other org; and you are trying to route traffic between Z3 and MX_B through MX_A?
If so, unfortunately, this won't be possible.

The KB says (in a blue note): "An MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers will not route traffic between other Auto VPN peers and the non-Meraki VPN peers unless BGP routing over IPsec VPN is enabled for the latter."

With this said, you can try to configure this new route-based tunnel with BGP over IPsec, and then in theory routes within the same org should be advertised via iBGP, and from the outside - via eBGP, but honestly, I never worked with this feature so not 100% sure it'll work, but if it does, it fur sure will be a good solution.

If that doesn't work though, I'm afraid the only way to communicate from Z3 to MX_B is a direct non-Meraki VPN tunnel between them.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

BrentB · ‎Feb 21 2025

Sinelnyyk,

That is what we are trying. Z3 connected to MX_A that is non-meraki VPN connected the MX_B in a different org. Trying to get Z3 access to network behind MX_B. We were thinking it was something routing related as the MX_B network was not in the route table on the Z3 but is on MX_A. easiest test would be to go the VPN tunnel route between Z3 and MX_B. if we get this working they will have three others in the same situation.

Thanks

Meraki

Community

routing from remote network across non-Meraki VPN Peer

routing from remote network across non-Meraki VPN Peer