second 3rd party Site2Site VPN tunnel to another Org

Holli69
Getting noticed

second 3rd party Site2Site VPN tunnel to another Org

Hi all,

we have an MX95 in our branch office with 2 different ISPs. One on WAN 1, and the other on WAN 2.

We build a 3rd party VPN with 3 Subnets to our Data Center (MX450 as a VPN Concentrator which is in another Organization) over the WAN 1 primary Connection.

So far, so good, everything works fine.

We want in case of a failover (WAN 1 is down), the same 3 Subnets should go via 3rd party tunnel on WAN 2 to the VPN Concentrator (MX450).

Both ISPs (WAN 1 + WAN 2) have fixed public IPs.

On the VPN Concentrator MX450, I can't put the same Subnet to the other public IP of WAN 2 to build a second VPN tunnel.

How could I solve the problem or is it only possible for AutoVPN ?

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

With the MX there is no possibility, especially because the MX does not do any type of PBF so that you can do an automatic failover.

The only option I see is to configure the tunnel on some other device where you can configure PBF, or have an MX on the other end (which I believe is not possible in your case).

The truth is that a non-Maraki VPN is still very limited.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Or use a different subnet for the tunnel and do a NAT on the other end. It's a little more complex but maybe this will work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ww
Kind of a big deal
Kind of a big deal

Never tried it myself, maybe this works

 https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peerin...

 

Afaik the mx ddns  name resolves ip of wan2 if wan1 is down

PhilipDAth
Kind of a big deal
Kind of a big deal

Good thinking, but the MX450 in the DC can not use an FQDN for a non-Meraki VPN peer.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you have an MX95 in your branch and an MX450 in your data centre - why are you not using AutoVPN - where the failover is automated?

 

You would probably have to use tag-based failover for this scenario - but that is way more complicated than simply using AutoVPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

PhilipDAth
Kind of a big deal
Kind of a big deal

>MX450 as a VPN Concentrator which is in another Organization

Doh.  I missed this bit.  I can only think of two solutions:
1. Get an extra MX to put into the DC that is in your org, behind the MX450 (in VPN concentrator mode).  Build AutVPN to that.  Then you can use simply static routing between them.

2. Used tag based IPSec VPN failover.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels