Good day everyone, this is my first time posting in the forums so I apologize if I miss any details. I have a client office running HA MX250 to an AWS TGW. Meraki side has 2 VLANs included in the VPN and 3 private subnets (each a VPC in AWS) The AWS TGW route table has the following static routes. There is a 3rd VPN route included because I has removed one from the MX but have not update AWS TGW route table The issue I am having is that from the MX side, only one of the two include VLANs can actually send traffic to the VPC resources. If I run a ping from the meraki dashboard using the L3 interfaces to ping a gateway of a subnet in AWS, only one succeeds at a time. In the AWS site to site VPN config document that is downloaded from the VPN configuration page: ! AWS hosted VPN solution is a route-based solution, since Cisco Meraki only supports policy-based solution you will need to limit to a single SA. So please make sure to ! select "yes" for just one subnet, if you have more than one subnet, consolidate them into a single subnet before proceeding with the VPN configuration. If I am understanding this correctly, I am not able to have more than 1 subnet included in the non-meraki peer VPN due to this SA limitation. I have been trying to google how the Security Associations are established and it seems like the limitation is from the phase 2 IKE negotiations, since Phase 1 happens between the public addresses. Any confirmation or correction on my above understanding is greatly appreciated!
... View more