Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

Solved
mpgioia
Here to help
‎Nov 25 2019 7:18 AM
‎Nov 25 2019 7:18 AM

Non-Meraki VPN; proxy id's, .. how to specify NEAR subnets ?! <shrugs shoulders>

I have a basic setup.

4 x Meraki MX's across 4 sites.  All talking to each other via Meraki S-2-S VPN.

Under ../manage/configure/vpn_settings I have the networks propagated with the drop down of 'VPN participation' : 'On'... they are two wide /16 networks.

One of those four Meraki sites.  has an additional peer to a Non-Meraki VPN implementation.

I have three new routes (3 x more specific /24's in those greater /16 network's defined above) defined on the MX interfaces so I can also set the 'VPN participation' : 'On' for them too.

Set up the peer as per normal. 

 

Here's the kicker. The far end implementation is seeing Phase 1 pass no probs, and even Phase 2, but then complaining of propagated proxy id's. 

It's seeing one of the wide /16 networks. 

Half understandable.. because.. for some reason.. we can't specify NEAR subnets in the non-meraki VPN peer setup ? Only FAR subnets ? (via the 'private subnets' field) ?!

Surely, there's a way to do this...

0 Kudos
Subscribe
1 Accepted Solution
In response to mpgioia
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 25 2019 12:43 PM
‎Nov 25 2019 12:43 PM

Agreed @mpgioia it is a pain.  I sometimes add in a Cisco ASA/router to a solution just to cover off this case when their is anything more complex than "simple" site to site VPNs.

View solution in original post

Subscribe
7 Replies 7
jdsilva
Kind of a big deal
‎Nov 25 2019 7:27 AM
‎Nov 25 2019 7:27 AM

The near end subnets are the same as the subnets marked an "in VPN" for the AutoVPN section. You can't specify a different set for each VPN type. 

http://blog.brokennetwork.ca | @jdsilva
Subscribe
In response to jdsilva
mpgioia
Here to help
‎Nov 25 2019 7:29 AM
‎Nov 25 2019 7:29 AM

I'm going to have to get the other side to add them in.. (very silly/limiting), and then i'll firewall out the traffic.

.. This is commoditised IPSEC S-2-S capability.. amazed you can't have a NEAR/FAR specified set per peer..

You can have FAR per peer.. but not NEAR.. :facepalm

Subscribe
In response to mpgioia
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Nov 25 2019 12:43 PM
‎Nov 25 2019 12:43 PM

Agreed @mpgioia it is a pain.  I sometimes add in a Cisco ASA/router to a solution just to cover off this case when their is anything more complex than "simple" site to site VPNs.

Subscribe
In response to PhilipDAth
mpgioia
Here to help
‎Nov 27 2019 3:39 AM
‎Nov 27 2019 3:39 AM

Surely the two of you have raised this as 'make a wish' or whatever that feature is in the console/dashboard ? Or is there an 'ideation' area in the community for such a thing ?

How do we get Meraki to inject this into its development cadence.  The merit is blindingly obvious to attack..

0 Kudos
Subscribe
In response to mpgioia
jdsilva
Kind of a big deal
‎Nov 27 2019 7:34 AM
‎Nov 27 2019 7:34 AM

I personally have not... I don't disagree with you on this, but my wish list has other items on it that are more important to me. But, I can certainly toss a wish in to help your cause along 🙂

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Subscribe
In response to jdsilva
mpgioia
Here to help
‎Nov 27 2019 7:35 AM
‎Nov 27 2019 7:35 AM

I can do it.. No biggie.

0 Kudos
Subscribe
In response to mpgioia
jdsilva
Kind of a big deal
‎Nov 27 2019 7:40 AM
‎Nov 27 2019 7:40 AM

The more wishes the better the visibility 🙂

 

If you have a Meraki rep you deal with make sure they hear this too. 

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.