Re: Need help Site-to-Site VPN between MX67 and Sophos XGS

Hans Juergen Guenter · ‎07-20-2023

Hello,
I have a question or two about setting up a site-to-site VPN between a Meriaki MX67 and a Sophos XGS.
So I have already found the point on the Meriaki Cloud page where I can activate the site-to-site VPN. However, there is no button there to manually create the configuration for non-meriaki firewalls so that a site-to-site VPN can then be set up.
I am not familiar with the Meriaki, but is it possible that there is a SuperAdmin user who is only allowed to make such settings or is an extra license required for the structure with non-meriaki FW?
Sorry if I can't express myself well, but I'm from Germany and my English is a bit rusty.

I hope that you can help me a bit here so that I can still get the site-to-site VPN created between the MX67 and the XGS.

Best regards

Hajo

Flavio Miranda · ‎07-21-2023

Hi @Hans Juergen Guenter

I am not a Meraki guy but on this doc it says is possible

"

Non-Meraki VPN peers

You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:"

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings

Hans Juergen Guenter · ‎07-21-2023

Hi Flavio Miranda ,

there is no "Add a peer" Button. Thats why I ask for my problem. If there where a Button
I could click on it to configure a non-Meraki Fw device.

Flavio Miranda · ‎07-21-2023

Are you using TACACS ? Is there any chance you have no privilege?

Hans Juergen Guenter · ‎07-23-2023

Good morning Flavio Miranda,

no they don`t use TACACS. Is there perhaps the SuperAdmin and the Admin in the permissions? so that only the SuperAdmin can make these changes?

Karsten Iwen · ‎07-23-2023

You do not need an extra license for this. You need to have admin rights on the network with the MX.

It would help if you had posted a screenshot of what you see on the configuration page.

The config starts by enabling Site-to-Site VPNs by choosing either Hub or Spoke:

Then you can add the peers:

The rest is all in the documentation.

Hans Juergen Guenter · ‎07-24-2023

That is that what I just see:

Karsten Iwen · ‎07-24-2023

This looks as you are only a read-only user on this dashboard network. Ask the admin for “full” administration rights.

Hans Juergen Guenter · ‎07-24-2023

Hello Karsten Iwen,

are there administrators who only have read rights? I looked at the user administration and it says that we are with our user administrator.

Karsten Iwen · ‎07-24-2023

yes, you can have "read-only" or "full" rights.

Hans Juergen Guenter · ‎07-24-2023

Hi,

our user is unter the Network Admin and have full rights. Can it be that we have to be Organization Admin?

Karsten Iwen · ‎07-24-2023

Yes, Site to Site VPNs are configured organization wide and not “per MX”.

Hans Juergen Guenter · ‎07-25-2023

Hello,

thanks for the tip. Now I could set that. The site-to-site tunnel is also available, but unfortunately I can only reach the opposite network in one direction.

Current configuration:

Server HAN => Sophos => Fritzbox => Internet <= Meriaki <= Server BLN

I can ping the server from the server BLN and get a response.
I cannot reach the server BLN from the server HAN and the ping fails.

In the Sophos, however, I see that the ICMP was successfully sent through the tunnel.

Does anyone know where it can be?

Karsten Iwen · ‎07-25-2023

Is the Windows Firewall on Server BLN dropping ICMP?

Hans Juergen Guenter · ‎07-26-2023

No on the Server BLN ICMP is allowed.