Skip to main content
Cisco Meraki

Cisco+ Secure Connect - Meraki MX IPSec Tunnel

  1. Last updated
  2. Save as PDF

Please note that Auto VPN is the go-to way to connect to Cisco+ Secure Connect but for certain scenarios if there is any need to connect a Meraki site to Cisco+ Secure Connect via IPSec, below config should be used.

 

Prerequisites

  1. The Meraki MX requires MX 15.12+ firmware, on which users are able to configure the Non-Meraki VPN Peer with the two following Umbrella requirements:
    1. Choose IKE version type on each Non-Meraki VPN Peer. When choosing IKEv2, the "Local ID" field will be enabled. The User FQDN info needs to be added into this field.
    2. On IPSec policies, choose "Diffie-Hellman group" 14.

Configuration 

To establish an IPSec tunnel to Umbrella, configurations must be made on both Umbrella Dashboard and Meraki Dashboard.

Umbrella Dashboard

In the Umbrella dashboard, navigate to Deployments > Network Tunnels > select Add

 

Screen Shot 2019-09-17 at 2.41.27 PM.png

 

Name the tunnel and select Device Type > Meraki MX.

 

Tunnel_Name2.png

 

Set the Tunnel ID and Passphrase. This will be entered as the Local ID (User FQDN) and preshared secret in the Meraki dashboard.

 

Screen Shot 2019-09-17 at 2.46.17 PM.png

 

After setting the Tunnel ID and Passphrase, a confirmation prompt will be displayed, allowing you to copy and paste the Tunnel ID and Passphrase to Local ID (User FQDN) and Preshared secret in the Meraki dashboard.

 

Screen Shot 2019-09-17 at 3.02.42 PM.png

Meraki Dashboard

Navigate to Security & SD-WAN > Site-to-site VPN > Select desired subnets to participate in VPN.

 

VPN-Participate.png

In the Security & SD-WAN > Site-to-site VPN > Non-Meraki VPN peers section, select Add a peer.

 

Screen Shot 2019-09-17 at 3.12.04 PM.png

 

 

Please Note that to use the specific TAg when building this kind of tunnel to the site, for example here is using SIG. By default if you have ALL Networks, it will create third party IPSEC tunnel to rest of the orgs which will not be an intended result and can bring an OUTAGE.

For the Non-Meraki VPN peers fields:

  • Name: Provide any sample name for the tunnel
  • Public IP: You will find this IP address in the article at https://docs.umbrella.com/umbrella-user-guide/docs/cisco-umbrella-data-centers
  • Local ID: You will get this string from Umbrella dashboard once you have completed creating a Network Tunnel Identity using PSK.
  • Private subnets: This will always be 0.0.0.0/0 You will be redirecting all internet bound traffic into the tunnels.
  • IPSec policies: Choose Preset of “Umbrella”.  This will populate all of the IPSec tunnel parameters necessary for Umbrella connectivity.
  • Preshared secret: You will get this string from Umbrella dashboard once you have completed creating a Network Tunnel Identity using PSK.
  • Availability: You will add the Tag here that you had defined earlier for the MX appliance that will be building the tunnels to Umbrella cloud.  If you want the configuration to apply to all networks, you can use the All option.

 

Verification of the Umbrella IPSec parameters can be viewed by selecting Umbrella

 

Screen Shot 2019-09-17 at 3.26.42 PM.png

 

Lastly, you will have to generate interesting traffic through the tunnel in order for the Umbrella dashboard to reflect active tunnel status. To generate interesting traffic, simply source pings from a VPN-participating VLAN (navigate to Security & SD-WAN > Appliance Status > Tools) to a destination IP address that would take the IPSec tunnel route.

 

Screen Shot 2019-09-17 at 4.19.06 PM.png

 

Meraki dashboard displaying an active Umbrella SIG IPSec tunnel (Security & SD-WAN > VPN Status) should look like the following:

 

Screen Shot 2019-09-17 at 4.25.57 PM.png

 

Umbrella Dashboard displaying an active IPSec tunnel to Meraki MX (Deployments > Network Tunnels) should look like the following:

 

Screen Shot 2019-09-17 at 4.23.45 PM.png

 

Validation

To validate traffic being sent to over the tunnel to SIG vs traffic not being sent over the tunnel we can connect to a network on a VLAN that is participating in tunnel and one that is not to observe the difference.

 

For this test we used the below configuration where the Default VLAN1 is not participating in VPN and the SIG VLAN10 is participating. This configuration can be viewed under Security & SD-WAN > Site-to-site VPN.

 

VPN-Participate.png

 

Using a Wireless capable MX68CW two SSIDs were created. One on VLAN1 and the other on VLAN10.

 

SSIDConfig.png

 

When a device connects to the SSID SIG1, it receives an IP on VLAN10.

 

SIG-SSID-Connect.png

 

When the device accesses the Internet, the traffic will have a NAT address from Umbrella.

 

SIG-SSID-Connect-PubIP.png

 

When a device connects to the SSID DIA, it receives an IP on VLAN1.

 

DIA-SSID-Connect.png

 

When the device accesses the Internet, the traffic will have a NAT address from the MX Internet Interface.

 

DIA-SSID-Connect-PubIP.png