Subnets to which the MX-Z device has Static LAN routes can also be advertised over the VPN. If you choose to advertise a statically routed subnet over the VPN, ensure that the gateway device for each subnet is configured to route traffic for remote VPN subnets to the MX-Z device, in order to keep your routing symmetrical.
In full tunnel configurations when specifying a prefix to be part of a VPN, everything covered by that prefix will be allowed in the VPN. Therefore, subnets that overlap will cause traffic in a more specific subnet to be sent through the VPN, even if it is not configured to be included in the VPN. For example, if 10.0.0.0/16 is configured to be included in the VPN but 10.0.1.0/24 is not, traffic sourced from 10.0.1.50 will still be sent over the VPN.
VPN Subnet Translation
In large distributed networks, multiple networks may have identical subnet scopes (for example, overlapping subnets). Site-to-site VPN communication requires each site to have distinct and non-overlapping local subnets. In the event that multiple locations have the same local subnet, enable VPN subnet translation to translate the local subnet to a new subnet with the same number of addresses. For more information, refer to the Using Site-to-site VPN Translation article.
Subnet Translation Example
- Branch 1 local subnet: 192.168.31.0/24
- Branch 2 local subnet: 192.168.31.0/24 (identical!)
- Branch 1 translated subnet: 10.0.1.0/24
- Branch 2 translated subnet: 10.0.2.0/24
In the example above, even though both networks have identical local subnets, they can communicate over the VPN using their translated VPN subnet. Branch 1 is accessible as 10.0.1.0/24 and Branch 2 is accessible as 10.0.2.0/24 over the VPN tunnel.
Open Shortest Path First (OSPF) Route Advertisement
While the MX Security Appliance does not currently support full OSPF routing, OSPF can be used to advertise remote VPN subnets to a core switch or other routing device, avoiding the need to create static routes to those subnets. OSPF advertisement is supported in VPN Concentrator mode or in Routed mode on MX 13.4+ firmware with VLANs disabled.
Advertise remote routes: If this is set to Enabled, OSPF will be used to advertise remote VPN subnets as reachable via this MX.
Router ID: The OSPF Router ID that this MX will use to identify itself to neighbors.
Area ID: The OSPF Area ID that this MX will use when sending route advertisements.
Cost: The route cost attached to all OSPF routes advertised from this MX.
Hello timer: How frequently the MX will send OSPF Hello packets. This should be the same across all devices in your OSPF topology.
Dead timer: How long the MX will wait to see Hello packets from a particular OSPF neighbor before considering that neighbor inactive.
MD5 Authentication: If this is enabled, MD5 hashing will be used to authenticate potential OSPF neighbors. This ensures that no unauthorized devices are injecting OSPF routes into the network.
Authentication Key: The Message Digest Algorithm 5 (MD5) key number and passphrase. Both of these values must match between any devices that you wish to form an OSPF adjacency.
WAN appliances in Routed mode only support OSPF when using the "Single LAN" LAN setting. This can be set on Addressing & VLANs page.
Non-Meraki VPN Peers
You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click Add a peer and enter the following information:
- A name for the remote device or VPN tunnel.
- What Internet Key Exchange (IKE) version to use (IKEv1 or IKEv2)* for more information regarding the diffrence between IKEv1 and IKEv2 please check this article.
- The public IP address of the remote device (NOTE: if the peer device is part of a high availability peer (HA), you will need to enter the HA's virtual IP).
- Local ID of this MX. This is an optional configuration and is what the remote peer will receive as the remote ID of this MX. Only available with IKEv2.
- If left blank (default) it is the uplink IP of the MX, not the public IP. Some peers may expect this to match the public IP of the MX, a User FQDN (for example, user@domain.com), or FQDN (for example, www.example.com) based on their configuration.
- The Remote ID of the remote peer. This is an optional configuration and can be configured to the remote peer’s User FQDN, FQDN, or IPv4 address as needed.
- Which of these values you use is dependent upon your remote device. Please consult its documentation to learn what values it is capable of specifying as its remote ID, and how to configure them (for example, Determining an ID Method for ISAKMP Peers for ASA firewalls).
- The subnets behind the third-party device that you wish to connect to over the VPN. 0.0.0.0/0 can also be specified to define a default route to this peer.
- The IPsec policy to use, for more information please check Custom IPsec policies with Site-to-site VPN.
- The preshared secret key (PSK).
- Availability settings to determine which appliances in your dashboard organization will connect to the peer.
Minimum Firmware Requirements:
- IKEv2 requires firmware version 15.12 or greater.
- IPv6 peering requires firmware version 18.2 or greater.
When setting up Non-Meraki VPN connections between two MXs in different organizations, make sure to populate the Remote ID field of the Non-Meraki VPN peer with the private IP address of the remote MX if all of the following conditions are met:
- The MXs are running firmware version MX 15 or higher.
- They do not use a User FQDN.
- They are connected behind an upstream NAT device.
Limitations:
- Non-Meraki VPN peers cannot use MX/Z appliances as an "exit hub" as they do not interpret a default route (0.0.0.0/0) as a valid traffic selector, unless you have configured either:
- A Passthrough or VPN Concentrator MX advertising a 0.0.0.0/0 route as a "Local Network" on the Site-to-Site VPN page.
- A NAT mode MX with a 0.0.0.0/0 LAN static route enabled for VPN.
- Non-Meraki VPN connections are only established over the active WAN uplink, and cannot be established across multiple WAN uplinks.
An MX that builds tunnels to both Auto VPN and Non-Meraki VPN peers will not route traffic between the non-Meraki VPN peers and other Auto VPN peers.
Making changes to Non-Meraki VPN settings under Security & SD-WAN > Configure > Site-to-site VPN, might result in existing Non-Meraki VPN tunnels bouncing. We recommend that you make changes during a maintenance window to minimize the impact of Non-Meraki VPN tunnels bouncing.
Non-Meraki VPN Peering with FQDN
This feature enables the use of FQDN instead of an IP address while configuring a Non-Meraki VPN peer. Using IP addresses can be tedious because with a dynamic IP address, a customer has to manually modify the Non-Meraki VPN settings on the Site-to-Site VPN page when there is an IP address change. With FQDN configuration, the hostname of the remote peer would automatically get resolved each time a connection is initiated.
“FQDN” differs from “User FQDN.” The MX resolves the FQDN to an IP address of the remote peer, whereas, “User FQDN” is used in conjunction with the IP address of the remote peer. “FQDN” identifies the remote peer and is configured in the “Public IP/Hostname” field. “User FQDN” identifies the local peer and is configured in the “Local ID” field.
Supported Products:
Configuration
The FQDN of the Non-Meraki VPN peer can be configured in the Public IP/Hostname field when IKEv2 is the selected IKE version.
The default behavior of the MX is to set remote_id to FQDN if it is not explicitly added in the dashboard Non-Meraki VPN peers settings. Please note, the remote id on one peer needs to match the local id on the other peer for the tunnel to be established.
If the configured FQDN fails to resolve, an event will be reported in Network-wide > Monitor > Event log on dashboard
NOTE For IKEv2
Meraki appliances build IPsec tunnels by sending out a request with a single traffic selector payload that contains all of the expected local and remote subnets. Certain vendors may not support allowing more than one local and remote selector in a given IPsec tunnel. For such cases, please use IKEv1 instead.
An MX-Z device will not try to form a VPN tunnel to a non-Meraki peer if it does not have any local networks advertised.
IPsec Policies
There are three preset IPsec policies available.
- Default: Uses the Meraki default IPsec settings for connection to a non-Meraki device
- AWS: Uses default settings for connecting to an Amazon Virtual Private Cloud (VPC)
- Azure: Uses default settings for connecting to a Microsoft Azure instance
If none of these presets are appropriate, the Custom option allows you to manually configure the IPsec policy parameters. These parameters are divided into Phase 1 and Phase 2.
Phase 1
- Encryption: Select between AES-128, AES-192, AES-256, and 3DES encryption
- Authentication: Select MD5, SHA1 or SHA256* authentication
- Diffie-Hellman group: Select between Diffie-Hellman (DH) groups 1, 2, 5 or 14*
- Lifetime (seconds): Enter the phase 1 lifetime in seconds
* These settings require firmware version 15.12 or greater
Phase 2
- Encryption: Select between AES-128, AES-192, AES-256, and 3DES encryption (multiple options can be selected)
- Authentication: Select between MD5, SHA1 and SHA256 authentication (both options can be selected)
- PFS group: Select the Off option to disable Perfect Forward Secrecy (PFS). Select group 1, 2, 5 or 14 to enable PFS using that Diffie-Hellman group.
- Lifetime (seconds): Enter the phase 2 lifetime in seconds
NOTE: Please ensure the phase 2 lifetimes are equal on both ends of the tunnel whenever possible. While MX's can sometimes honor a shorter phase 2 lifetime if they're acting in response to build a tunnel, they cannot while serving as the initiator of the tunnel.
Non-Meraki VPN Failover
For non-Meraki VPN the MX will fail over the IPSec tunnel from the MX Primary to Secondary internet link when the link is marked as failed. The primary link can be set under Security & SD-WAN > Configure > SD-WAN & Traffic Shaping page.
Peer Availability
By default, a non-Meraki peer configuration applies to all MX-Z appliances in your dashboard organization. Since it is not always desirable for every appliance you control to form tunnels to a particular non-Meraki peer, the Availability column allows you to control which appliances within your Organization will connect to each peer. This control is based on network tags, which are labels you can apply to your dashboard networks.
When All networks is selected for a peer, all MX-Z appliances in the organization will connect to that peer. When a specific network tag or set of tags is selected, only networks that have one or more of the specified tags will connect to that peer.
More information on network tags can be found in the Organization Overview article.
VPN Firewall Rules
You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from from all MX-Z appliances in the Organization that participate in site-to-site VPN. Configuration steps for the rules can be found in the Site-to-site VPN Firewall Rule Behavior article.
Note: VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.
Monitoring Site-to-site VPN
You can monitor the status of the site-to-site VPN tunnels between your Meraki devices by clicking Security & SD-WAN > Monitor > VPN Status. This page provides real-time status for the configured Meraki site-to-site VPN tunnels. It lists the subnet(s) being exported over the VPN, connectivity information between the MX-Z appliance and the Meraki VPN registry, NAT Traversal information, and the encryption type being used for all tunnels. For more information regarding this page, refer to the VPN Status Page article.
Troubleshooting
If the VPN tunnel is not coming up upon following the set-up guidelines listed above, you may need to generate interesting traffic first. This can be done by initiating a ping to an IP address in the remote subnet.
For other common issues and troubleshooting steps, please refer to Site-to-site VPN Troubleshooting.