Meraki MX64 Auto VPN Test

# Meraki MX64 Auto VPN Test ## Site to Site (meraki) ## Hub (Mesh) > Establish VPN tunnels with all hubs and dependent spokes. Exit hubs > This option is only available if the MX-Z device is configured as a Hub. This option lets you designate the remote MX-Z device that is to receive all network traffic from the local MX-Z device. This creates a Full Tunnel configuration where all traffic destined for a default route is sent to the specified MX. ![](https://i.imgur.com/kNtUqjg.png) d. (Optional) If another MX in the organization is also configured as a hub, it can be added as an Exit hub. If configured, all VPN client traffic to this MX will be tunneled to the specified exit hub. 1. the exit hub is to receive all traffic from a local traffic MX device on a full tunnel configuration which means all traffic will be tunneled to an exit hub but a more specific (longer prefix) route will take precedence 2. MX does not currently support OSPF routing this can only be used to advertise remote VPN subnents to a core switch and is only supported in VPN concentratore mode So the Exit Hub setting acts like a "Default Route" for a hub to send unknown traffic to another hub? Yes. ## Spork > Establish VPN tunnels with selected hubs. hubs > When an appliance is configured as a Spoke, multiple VPN Hubs can be configured for that appliance. In this configuration, the Spoke MX-Z device will send all site-to-site traffic to its configured VPN hubs. ![](https://i.imgur.com/Bm4sg5d.png) d. Select the hub MX under the Name drop-down. Multiple hubs can be added and prioritized in descending order. e. Select at least one hub for a Default route: * If a hub is not configured as a default route, the spoke will only send traffic to this hub when the destination subnet is advertised by the hub. * If a hub is configured as a default route, any traffic that is not destined for a higher-priority hub will be sent by default to this hub. **a. Auto VPN default:** ![](https://i.imgur.com/EQaIDWr.png) Figure 1. Split tunnel w/ Hub-and-Spoke (connect directly to one peer). VPN connections (blue) are established to only one peer (top). Traffic to the internet (black) goes out locally from each site. **b. Enable Exit Hub or default route** ![](https://i.imgur.com/QzkOjyj.png) Figure 2. Full tunnel w/ Hub-and-Spoke (connect directly to one peer). VPN connections (blue) are established to only one peer (top). Traffic to the internet (black) goes out from a central concentrator/hub (top). **NAT traversal** If the MX-Z device is behind a firewall or other NAT device, there are two options for establishing the VPN tunnel: > Automatic: In the vast majority of cases, the MX-Z device can automatically establish site-to-site VPN connectivity to remote Meraki VPN peers even through a firewall or NAT device using a technique known as "UDP hole punching". This is the recommended (and default) option. > Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, Meraki VPN peers contact the MX-Z device using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the MX-Z device. In order to ensure connectivity, each Meraki node sends a keepalive message to the VPN Registry every 10 seconds. If more than 6 keepalives are not received by the registry, that node is marked as disconnected. For information on how connectivity to the VPN Registry works, please read the article on Automatic NAT Traversal. Both Meraki peers must be in communication with the VPN registry in order to get the correct information to form a valid VPN tunnel. If one Meraki device, such as an MX security appliance, is able to reach the VPN registry, but the intended peer MX is not, the tunnel will not form. A common occurrence of this is when an upstream firewall blocks VPN registry communication on UDP port 9350 or UDP port 9351. This issue is explained in the section VPN Registry Disconnected. ![](https://i.imgur.com/OZPrnal.png) ![](https://i.imgur.com/kxD5BjH.png) ## Client to site: WINS server: If VPN clients should use WINS to resolve NetBIOS names, select Specify WINS Servers from the drop-down and enter the IP addresses of the desired WINS servers. ## Reference 1. [Configuring Hub-and-spoke VPN Connections on the MX Security Appliance](https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Hub-and-spoke_VPN_Connections_on_the_MX_Security_Appliance)) 2. [Automatic NAT Traversal for Auto VPN Tunneling between Cisco Meraki Peers](https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_Auto_VPN_Tunneling_between_Cisco_Meraki_Peers) 3. [Exit Hub and default routing](https://community.meraki.com/t5/Security-SD-WAN/Exit-Hub-and-default-routing/td-p/85241) 4. [Meraki Auto VPN - Configuration and Troubleshooting](https://documentation.meraki.com/MX/Site-to-site_VPN/Meraki_Auto_VPN_-_Configuration_and_Troubleshooting)