Hi all,
we have an MX95 in our branch office with 2 different ISPs. One on WAN 1, and the other on WAN 2.
We build a 3rd party VPN with 3 Subnets to our Data Center (MX450 as a VPN Concentrator which is in another Organization) over the WAN 1 primary Connection.
So far, so good, everything works fine.
We want in case of a failover (WAN 1 is down), the same 3 Subnets should go via 3rd party tunnel on WAN 2 to the VPN Concentrator (MX450).
Both ISPs (WAN 1 + WAN 2) have fixed public IPs.
On the VPN Concentrator MX450, I can't put the same Subnet to the other public IP of WAN 2 to build a second VPN tunnel.
How could I solve the problem or is it only possible for AutoVPN ?
With the MX there is no possibility, especially because the MX does not do any type of PBF so that you can do an automatic failover.
The only option I see is to configure the tunnel on some other device where you can configure PBF, or have an MX on the other end (which I believe is not possible in your case).
The truth is that a non-Maraki VPN is still very limited.
Or use a different subnet for the tunnel and do a NAT on the other end. It's a little more complex but maybe this will work.
Never tried it myself, maybe this works
Afaik the mx ddns name resolves ip of wan2 if wan1 is down
Good thinking, but the MX450 in the DC can not use an FQDN for a non-Meraki VPN peer.
If you have an MX95 in your branch and an MX450 in your data centre - why are you not using AutoVPN - where the failover is automated?
You would probably have to use tag-based failover for this scenario - but that is way more complicated than simply using AutoVPN.
https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover
>MX450 as a VPN Concentrator which is in another Organization
Doh. I missed this bit. I can only think of two solutions:
1. Get an extra MX to put into the DC that is in your org, behind the MX450 (in VPN concentrator mode). Build AutVPN to that. Then you can use simply static routing between them.
2. Used tag based IPSec VPN failover.