07-20-2023 11:36 PM - edited 07-20-2023 11:37 PM
Hello,
I have a question or two about setting up a site-to-site VPN between a Meriaki MX67 and a Sophos XGS.
So I have already found the point on the Meriaki Cloud page where I can activate the site-to-site VPN. However, there is no button there to manually create the configuration for non-meriaki firewalls so that a site-to-site VPN can then be set up.
I am not familiar with the Meriaki, but is it possible that there is a SuperAdmin user who is only allowed to make such settings or is an extra license required for the structure with non-meriaki FW?
Sorry if I can't express myself well, but I'm from Germany and my English is a bit rusty.
I hope that you can help me a bit here so that I can still get the site-to-site VPN created between the MX67 and the XGS.
Best regards
Hajo
07-21-2023 03:00 AM
I am not a Meraki guy but on this doc it says is possible
"
You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:"
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Settings
07-21-2023 04:42 AM
Hi Flavio Miranda ,
there is no "Add a peer" Button. Thats why I ask for my problem. If there where a Button
I could click on it to configure a non-Meraki Fw device.
07-21-2023 04:55 AM
Are you using TACACS ? Is there any chance you have no privilege?
07-23-2023 11:19 PM
Good morning Flavio Miranda,
no they don`t use TACACS. Is there perhaps the SuperAdmin and the Admin in the permissions? so that only the SuperAdmin can make these changes?
07-23-2023 11:49 PM
You do not need an extra license for this. You need to have admin rights on the network with the MX.
It would help if you had posted a screenshot of what you see on the configuration page.
The config starts by enabling Site-to-Site VPNs by choosing either Hub or Spoke:
Then you can add the peers:
The rest is all in the documentation.
07-24-2023 12:36 AM - edited 07-24-2023 12:36 AM
That is that what I just see:
07-24-2023 01:15 AM
This looks as you are only a read-only user on this dashboard network. Ask the admin for “full” administration rights.
07-24-2023 01:27 AM
Hello Karsten Iwen,
are there administrators who only have read rights? I looked at the user administration and it says that we are with our user administrator.
07-24-2023 02:01 AM
yes, you can have "read-only" or "full" rights.
07-24-2023 02:19 AM
Hi,
our user is unter the Network Admin and have full rights. Can it be that we have to be Organization Admin?
07-24-2023 03:13 AM
Yes, Site to Site VPNs are configured organization wide and not “per MX”.
07-25-2023 03:37 AM
Hello,
thanks for the tip. Now I could set that. The site-to-site tunnel is also available, but unfortunately I can only reach the opposite network in one direction.
Current configuration:
Server HAN => Sophos => Fritzbox => Internet <= Meriaki <= Server BLN
I can ping the server from the server BLN and get a response.
I cannot reach the server BLN from the server HAN and the ping fails.
In the Sophos, however, I see that the ICMP was successfully sent through the tunnel.
Does anyone know where it can be?
07-25-2023 09:07 PM
Is the Windows Firewall on Server BLN dropping ICMP?
07-26-2023 03:32 AM
No on the Server BLN ICMP is allowed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide