Meraki Firewall - Hub and Spoke Tunnels

[ShepsCrook]

So I've got a Meraki firewall at HQ as well as the other offices. We're set up for tunneling with a hub and spoke method on the Meraki's.

HQ is getting upgraded to 1GB fiber through another company which means an IP address change. When the new line is connected, is that automatically updated to the spokes for the IP?

 

[Dead Parrot]

Depends on what the remotes are connecting to. Are they connecting to a URL or a fixed IP address? If URL, once the DNS changes propagate after the ISP swap, they should reacquire the home office. If fixed IP, you will likely have to visit the remote offices to change the target IP for the VPN. It is generally a bad idea to allow WAN admin access to a firewall but allowing access from the NEW IP only, if you know it ahead of time might be a way to avoid a bunch of traveling. Talking someone in a remote site through the IP change is another.

If you are lucky, the HQ device will still connect to the remotes and may allow for an auto update of the remote's target for the VPN.

I had a similar setup using Juniper/Netscreen devices. Never had to change the HQ device IP but remote IP changes did happen due to ISP changes or office moves.

 

[ShepsCrook]

Meraki has cloud access to the devices, so I can configure and change settings without traveling which is nice.
However, it doesn't look like there's any set IP's or URLs in the site to site settings.

 

[EniGmA1987]

Meraki has cloud access to the devices, so I can configure and change settings without traveling which is nice.
However, it doesn't look like there's any set IP's or URLs in the site to site settings.

Nice, right up until your WAN admin configuration privileges (aka. "cloud access") are compromised and your devices are all screwed with remotely.

 

[ShepsCrook]

Nice, right up until your WAN admin configuration privileges (aka. "cloud access") are compromised and your devices are all screwed with remotely.

Yeah. Every device gets messed up then. But either way. I'm just curious because I don't see places that actually need the WAN IP addresses for these configurations.

 

[Dead Parrot]

Got curious. From the Cisco Meraki website: https://meraki.cisco.com/technologies/auto-vpn

Looks like it claims to automatically configure your VPN settings via 'cloud magic'.

Wonder if this is another of those things like Under Armor IoT fitness things that quit working if the Cisco Meraki cloud is shut off or goes down?

 

[ShepsCrook]

Got curious. From the Cisco Meraki website: https://meraki.cisco.com/technologies/auto-vpn

Looks like it claims to automatically configure your VPN settings via 'cloud magic'.

Wonder if this is another of those things like Under Armor IoT fitness things that quit working if the Cisco Meraki cloud is shut off or goes down?

I'm thinking I should be all set there if that's the case. Thank you for finding that.