Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
380
Views
1
Helpful
2
Replies

AWS Site to Site VPN <=> Cisco Meraki, Tunnel Not Working.

oliver99
Level 1
Level 1

‎04-02-2024 06:08 PM

We are working on connecting AWS Site to Site VPN and Cisco Meraki.
At this time, the configuration resources are as follows.

AWS Site-to-Site VPN
Local IPv4 Network CIDR => 172.31.10.0/24 {Meraki}
Remote IPv4 Network CIDR => 10.10.0.0/16 {AWS VPC}

check 1
Cisco Meraki
Hub Mode
Tunnel 1 Outside IP address => xx.xx.xx.xx/30 => Private Subnet => 10.10.0.0/16
Tunnel 2 Outside IP address => xx.xx.xx.xx/30 => Private Subnet => 10.10.0.0/16

When set as above, the actual AWS Subnet connects only to the Private A area and does not connect to the Private C area.

check 2
Cisco Meraki
Hub Mode
Tunnel 1 Outside IP address => xx.xx.xx.xx/30 => Private Subnet => 10.10.0.0/20
Tunnel 2 Outside IP address => xx.xx.xx.xx/30 => Private Subnet => 10.10.20.0/20

Likewise, when setting as above, in the actual AWS Subnet, only the Private A area is connected, and the Private C area is not connected.

======
No matter how much I think about it, I don't understand it. What could be the reason? Is there anything else I need to configure?

Labels:
0 Helpful
2 Replies 2

MHM Cisco World
VIP
VIP

‎04-02-2024 09:17 PM

Private A and C I don't get it, 

Can you more elaborate and share the tunnel config and route you use 

MHM

0 Helpful

oliver99
Level 1
Level 1
In response to MHM Cisco World

‎04-02-2024 10:24 PM

Dear, VIP.

It means.
Private A => AWS Availability Zone A
Private C => AWS Availability Zone C

===
AWS Tunnel Config File

IPSEC Tunnel #1
Go to Security & SD-WAN > Configure > Site-to-site VPN
a. Select Hub
b. Select Local Networks - Networks you want to advertise to AWS
c. In Organization-wide settings, select 'Non-Meraki VPN peers'
1. Name: ipsec-vpn-xxxxxx-0
2. What IKE version to use: IKEv2
3. Remote IP: 1.11.111.10
4. Remote ID: 1.11.111.10 - optional
5. Private Subnets: - VPC CIDRs

IPSEC Tunnel #2
Go to Security & SD-WAN > Configure > Site-to-site VPN
a. Select Hub
b. Select Local Networks - Networks you want to advertise to AWS
c. In Organization-wide settings, select 'Non-Meraki VPN peers'
1. Name: ipsec-vpn-xxxxxx-1
2. What IKE version to use: IKEv2
3. Remote IP: 2.22.222.20
4. Remote ID: 2.22.222.20 - optional
5. Private Subnets: - VPC CIDRs

===
Cisco Meraki Settings

스크린샷 2024-04-03 오후 2.15.46.png

Customers Also Viewed These Support Documents