s2s vpn between Meraki and Non Meraki

Solved
Senan_Rogers
Getting noticed

s2s vpn between Meraki and Non Meraki

Did Someone had this issues? how to solve it? andy advise, thanks 

 

I was doing some test using auto vpn  in Meraki  in a small topology  { Meraki 64 ( Branch )  -----MX 100 ( Hub ) ----- Non Meraki ( ASA /Fortigate ) }

 

Local network in  MX 64 (192.168.0.1/24) ( BRANCH) -----> (vpn) ------> MX 100 ( HUB) -----> non-Meraki (ASA/Fortifate) Network 172.16.0. 1/16) 

 

+ VPN work with no problem between Meraki Branch and Meraki Hub.

+ as well VPN was up and working between Meraki Hub and Non-Meraki device ( ASA/ Fortigate).

 

The problem was between the Branch Meraki and Non-Meraki,  I was NOT able to reach the network behind Non-Meraki in both directions from/ to the Branch MX64 , I mean from 192.168.0.1/24 in the MX 64  i cannot ping/reach  172.16.0.1/16  in the Non-Meraki device. & VPN is up and running ( ph1 and ph2 ). 

 

  I have been advised that We need to have a Meraki in the Far end before the None Meraki so it will be able to reach that Network.

  Is this a limitation in the VPN?  do we have an alternative solution for this issues  ( I want to reach the far end remote end Network in

 Is this a limitation in the VPN?  do we have an alternative solution for this issues  ( I want to reach the far end remote end Network in non Meraki device ( ASA/Fortigate)  from the Branch MX64   which is connected to the MX100 using VPN and the MX100 is connected to the None Meraki through a VPN also?.

1 Accepted Solution
Dashboard_DJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@Senan_Rogers 3rd-party VPN routes are not advertised into the AutoVPN route table and there is no way to do so unfortunately.

A common workaround when you need to merge both AutoVPN and 3rd-party VPN route tables is to use two different MX appliances as hubs:

1. DC MX1, that's in your main org and terminates your Meraki AutoVPN domain.

2. DC MX2, which is in a dedicated org you create just for terminating 3rd-party VPN.

 

Then on DC MX1, simply configure a static route for any of the remote, 3rd-pary VPN destinations with a next hop of the inside IP of MX2. The same can be done in reverse on MX2, with a default route pointing towards your MX1 or your DC core.

View solution in original post

9 Replies 9
PhilipDAth
Kind of a big deal
Kind of a big deal

Can you build the VPN from the two Meraki's to the non-Meraki - rather than only from the hub?

 

That will make things much simpler.

Senan_Rogers
Getting noticed

Hello ,

 

Thank you ,  I have 43 Branch Sites , and all of them are connected to Mx 100 ( Hub) and then for Temp. need to be connected to the Non-Meraki (ASA cisco).

 

If I will connect  those 43 Branch sites  as VPN S2S to the cisco ASA  ,then I will have 43 VPN s2s connection, Not easy to Maintenance it

 

Any other advice.

 

Thank you

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not confident that is going to work.

 

Normally the site to non-Meraki site VPN is for subnets directly connected to the MX in question (and which you have specifically enabled).  I am not confident you can build the VPN to routes sitting in its routing table.

 

What I did for one of my customers is put in a little ASA 5506 beside their MX hub.  I added static routes on the ASA 5506 to get to all the remote MX's via the hub MX.  I then added a route to the MX hub for the remote VPN via the ASA 5506 and included this in the AutoVPN.  I then built a VPN between their 5506 and the remote non-Meraki VPN peer.

They actually had a few more complex site to site VPNs as well, include one that needed a NAT - so the ASA 5506 was the only "nice and clean" solution for them.

 

Perhaps this might be an option for you as well.

Senan_Rogers
Getting noticed

Hello ,

 

Thank you for your reply,  I have found two alternative solution , But those two solution will need to add  one more device. Very Similar to your solution.

 

Solution # 1

I will Connect an ASA cisco in front of MX100 and will connect both  asa cisco ( vpn s2s)  , So it will be :-

 

MX 64 -----> mx 100 ----asa ----------> asa

 

Solution #2

 I will use another MX100  in front of the ASA Cisco ,  in this case it will be  Mx 64 ----> mx100 ----> mx 100 ----asa cisco

 

But  I am looking to see or find why we cannot have a two hope VPN connection like the other products ?  To me this is similar to the max hope in RIP  protocols ( max 16 hopes ) then no more routing.

 

In our case it seems Meraki cannot send traffic with two VPN connection if one of them is Non-MERAKI.

PhilipDAth
Kind of a big deal
Kind of a big deal

Can you do this style connection (my preferred option)?

 

          Internet

               |

      +------+-------+

       |                  |

       MX            ASA

        |                 |

        +------+------+

                 |

         Inside network

 

Senan_Rogers
Getting noticed

Hello ,

 

Thank you for your idea, It's very similar to my idea as well . It will work also, But the Question was why we cannot send traffic from  Meraki ------- Meraki ---------Non Meraki  ?

 

Do you face the Same Problem ?

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know. I'm not saying it wont work, but I am not very confident that it will. Adding an ASA 5506 will be rock solid reliable though.
MijanurRahman
Getting noticed

Did you check from 'Security Appliance > Addressing & VLANs' if you have below configs:

- route created from MX64 (Meraki Spoke) towards ASA/FG (non-Meraki Spoke). It should be dest: 172.16.0.1/16, gw: MX100 IP from 192.168.0.1 subnet

- if the route is advertised by selecting 'Yes' for 'In VPN'.

 

Screenshot added FYR.

 

HTH.Screen Shot 2017-10-02 at 12.00.23 AM.png

Dashboard_DJ
Meraki Alumni (Retired)
Meraki Alumni (Retired)

@Senan_Rogers 3rd-party VPN routes are not advertised into the AutoVPN route table and there is no way to do so unfortunately.

A common workaround when you need to merge both AutoVPN and 3rd-party VPN route tables is to use two different MX appliances as hubs:

1. DC MX1, that's in your main org and terminates your Meraki AutoVPN domain.

2. DC MX2, which is in a dedicated org you create just for terminating 3rd-party VPN.

 

Then on DC MX1, simply configure a static route for any of the remote, 3rd-pary VPN destinations with a next hop of the inside IP of MX2. The same can be done in reverse on MX2, with a default route pointing towards your MX1 or your DC core.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels