Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

second 3rd party Site2Site VPN tunnel to another Org

Holli69
Getting noticed
2 weeks ago
2 weeks ago

second 3rd party Site2Site VPN tunnel to another Org

Hi all,

we have an MX95 in our branch office with 2 different ISPs. One on WAN 1, and the other on WAN 2.

We build a 3rd party VPN with 3 Subnets to our Data Center (MX450 as a VPN Concentrator which is in another Organization) over the WAN 1 primary Connection.

So far, so good, everything works fine.

We want in case of a failover (WAN 1 is down), the same 3 Subnets should go via 3rd party tunnel on WAN 2 to the VPN Concentrator (MX450).

Both ISPs (WAN 1 + WAN 2) have fixed public IPs.

On the VPN Concentrator MX450, I can't put the same Subnet to the other public IP of WAN 2 to build a second VPN tunnel.

How could I solve the problem or is it only possible for AutoVPN ?

Labels:
0 Kudos
Subscribe
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

With the MX there is no possibility, especially because the MX does not do any type of PBF so that you can do an automatic failover.

The only option I see is to configure the tunnel on some other device where you can configure PBF, or have an MX on the other end (which I believe is not possible in your case).

The truth is that a non-Maraki VPN is still very limited.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
alemabrahao
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Or use a different subnet for the tunnel and do a NAT on the other end. It's a little more complex but maybe this will work.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
ww
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Never tried it myself, maybe this works

 https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings#Non-Meraki_VPN_Peerin...

 

Afaik the mx ddns  name resolves ip of wan2 if wan1 is down

0 Kudos
Subscribe
In response to ww
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

Good thinking, but the MX450 in the DC can not use an FQDN for a non-Meraki VPN peer.

0 Kudos
Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

If you have an MX95 in your branch and an MX450 in your data centre - why are you not using AutoVPN - where the failover is automated?

 

You would probably have to use tag-based failover for this scenario - but that is way more complicated than simply using AutoVPN.

https://documentation.meraki.com/MX/Site-to-site_VPN/Tag-Based_IPsec_VPN_Failover 

Subscribe
PhilipDAth
Kind of a big deal
Kind of a big deal
2 weeks ago
2 weeks ago

>MX450 as a VPN Concentrator which is in another Organization

Doh.  I missed this bit.  I can only think of two solutions:
1. Get an extra MX to put into the DC that is in your org, behind the MX450 (in VPN concentrator mode).  Build AutVPN to that.  Then you can use simply static routing between them.

2. Used tag based IPSec VPN failover.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.