Have you seen this page: https://documentation.meraki.com/MX/Deployment_Guides/VPN_Concentrator_Deployment_Guide Have a look at Appendix 1: It is important to understand the flow of traffic sent across an AutoVPN tunnel while the MX is acting as a one-armed concentrator. In the following scenario we have a host at a branch location trying to load a webpage located in the datacenter, over the site-to-site VPN. The client sends traffic to the private address of the web server to its default gateway, the MX (in Routed mode) at the branch location. The branch MX will look at its routing table and see that the destination IP address is contained within a subnet subnet that is accessible over the Meraki AutoVPN. The branch MX encrypts and encapsulates the data from the client and sends a packet source from its WAN interface, destined for the public IP address and port of the one-armed concentrator at the datacenter that was learned through the VPN registry. This traffic is routed across the Internet to the edge of the datacenter. The edge of the datacenter will NAT the traffic into a private address and send the traffic to the IP address of the one-armed concentrator. The traffic will traverse the network internal to the datacenter and arrive at the one-armed concentrator. The MX will then decrypt and de-encapsulate the traffic and forward the original packet (sent by the client from the branch) upstream. The upstream datacenter infrastructure routes traffic to the server. The server receives the client traffic and sends a response to the client. The response is then routed back through the internal datacenter network to the MX acting as a one-armed concentrator. Upon receiving this response, the one-armed concentrator sees that the destination IP address is contained within a subnet that is accessible over the site-to-site VPN, looks up the contact information for the corresponding AutoVPN peer, encapsulates and encrypts the data, and sends the response on the wire. The response, destined for the public IP and AutoVPN port of the branch MX, is then routed through the datacenter and NAT’ed out to the Internet. The packet is then routed through the Internet to the branch MX. The Branch MX receives the response, decrypts, de-encapsulates, and forwards the server's response downstream. The response then traverses the internal branch network and is received by the client device.
... View more