Cisco Meraki product lines offer various types of VPN options for small office and/or remote deployments. Each option is recommended for a different type of scenario, ranging from a single client, to several wired and wireless clients. If you have a complex requirement not covered below, please contact your Cisco Meraki account executive to discuss what would be the best fit for your particular needs. This article will discuss the scenarios listed below.
- Single Client VPN
- Wireless Client VPN
- Wired/Wireless Client VPN
Single Client VPN
Single client VPN would be particularly useful for clients utilizing mobile devices, laptops, as well as home desktop users. The Meraki Client VPN utilizes the native VPN client built into Windows, OS X, and iOS clients to name a few examples.
Client VPN creates a tunnel from the client and forwards all VPN traffic through that tunnel to the MX. The MX will then forward the traffic towards the destination. Each client that connects is placed on the subnet specified for Client VPN devices.
For a guide on configuring Client VPN on the MX and the client device, please refer to our Client VPN Configuration Page.
Wireless Client VPN
Note: This VPN only works with a Cisco Meraki MR Access Point.
Wireless Client VPN would ideally work when users want to utilize their wireless devices, or in an instance where there only are wireless clients in the environment. In this case the VPN SSID option is available; this option creates an SSID that will send all traffic through a VPN tunnel to either an MX Concentrator or VM Concentrator.
The wireless client will connect to the SSID like a standard wireless network, authenticate if necessary (WPA2-PSK, or 802.1x), and all traffic , or only VPN specific traffic (i.e. Split Tunnel VPN), will be sent through a VPN tunnel to a concentrator.
To configure the SSID please refer to our Teleworker VPN Configuration guide.
Wired/Wireless Client VPN
Wired/Wireless VPN would be best for a home or office that has both wired and wireless clients that need traffic sent over a VPN. The devices that support this are the Z-series Teleworker Gateways, MX60W, MX64W, MX65W, MX67W, MX68W, and MX68CW. Each of those units have both wired and wireless connectivity and can utilize the Site-to-Site VPN feature to forward both wired and wireless traffic to the remote VPN site. Any other MX appliance can also use Site-to-Site VPN, but a separate wireless access point would be necessary to provide wireless network access.
Wired clients would act as a normal client on the LAN until the traffic is received by the MX, then it will be encapsulated and sent over the VPN. Wireless traffic would be treated in the same way, once the client traffic is received by the MX it will be encapsulated and sent it over the VPN.
If split tunnel is configured, only traffic destined for the remote network will traverse the VPN. If full tunnel is enabled, Internet traffic will be sent over the VPN tunnel in addition to traffic destined for the remote network.
For assistance setting up a site-to-site VPN, please refer to our Site-to-Site VPN Configuration guide.