Skip to main content

 

Cisco Meraki Documentation

Small Remote or Home Office VPN Options

Cisco Meraki product lines offer various types of VPN options for small office and/or remote deployments. Each option is recommended for a different type of scenario, ranging from a single client, to several wired and wireless clients. If you have a complex requirement not covered below, please contact your Cisco Meraki account executive to discuss what would be the best fit for your particular needs. This article will discuss the scenarios listed below.

  • IPSec Client VPN
  • Cisco Secure Client (formerly AnyConnect)
  • Wireless Client VPN
  • Wired/Wireless Client VPN

IPSec Client VPN

The IPSec client VPN is useful for clients utilizing mobile devices, laptops, as well as home desktop users as it is supported by the native VPN client built into many operating systems including:

  • Windows
  • OS X
  • iOS

The IPSec Client VPN creates an IPSec L2TP tunnel from the client and forwards all VPN traffic through that tunnel to the MX. The MX will then forward the traffic towards the destination. Each client that connects is placed on the subnet specified for Client VPN devices. 

Single Client VPN diagram

For more information, please refer to Client VPN Overview.

Cisco Secure Client (formerly AnyConnect)

Cisco Secure Client, formerly known as Cisco AnyConnect Secure Mobility Client, is a versatile VPN client that provides remote workers with secure access to their organization's network. It is designed to provide a seamless and secure connection for users, regardless of their location or the device they are using.

Cisco Secure Client, formerly Cisco AnyConnect Secure Mobility Client, is available for Windows 10 and 11. The user interface will be familiar to current AnyConnect users with some updated branding and iconography.

Clients running on macOS and Linux will continue to utilize AnyConnect 4.x until Cisco Secure Client has full OS support.

Integrating Cisco AnyConnect with Meraki MX devices provides a robust and secure VPN solution ideal for small remote or home offices. It ensures encrypted connections using SSL and IPsec protocols, offers comprehensive endpoint security, and provides user-friendly access across multiple platforms. The solution is easy to deploy and manage, offering centralized control and monitoring. 

For more information, please refer to AnyConnect on the MX Appliance.

Wireless Client VPN  

Note: This VPN only works with a Cisco Meraki MR Access Point.

 

Wireless Client VPN would ideally work when users want to utilize their wireless devices, or in an instance where there only are wireless clients in the environment. In this case the VPN SSID option is available; this option creates an SSID that will send all traffic through a VPN tunnel to an MX Concentrator.

 

 

The wireless client will connect to the SSID like a standard wireless network, authenticate if necessary (WPA2-PSK, or 802.1x), and all traffic , or only VPN specific traffic (i.e. Split Tunnel VPN), will be sent through a VPN tunnel to a concentrator.

Wireless Client, VPN tunnel from MR to MX diagram

For more information, please refer to MR Teleworker VPN.

Wired/Wireless Client VPN

Wired/Wireless VPN would be best for a home or office that has both wired and wireless clients that need traffic sent over a VPN. The devices that support this are the Z-series Teleworker Gateways, MX60W, MX64W, MX65W, MX67W, MX68W, and MX68CW. Each of those units have both wired and wireless connectivity and can utilize the Site-to-Site VPN feature to forward both wired and wireless traffic to the remote VPN site. Any other MX appliance can also use Site-to-Site VPN, but a separate wireless access point would be necessary to provide wireless network access.

 

Wired clients would act as a normal client on the LAN until the traffic is received by the MX, then it will be encapsulated and sent over the VPN. Wireless traffic would be treated in the same way, once the client traffic is received by the MX it will be encapsulated and sent it over the VPN.

 

If split tunnel is configured, only traffic destined for the remote network will traverse the VPN.  If full tunnel is enabled, Internet traffic will be sent over the VPN tunnel in addition to traffic destined for the remote network.

Wired and Wireless clients, VPN tunnel from MX/Z3 to MX

For more information, please refer to Site-to-Site VPN Settings.

  • Was this article helpful?