Skip to main content

 

Cisco Meraki Documentation

Site to Site VPN with Meraki Go Router Firewalls

Meraki Go Router Firewall (GX Series) VPN Guide

The GX50 product supports Client VPN and Site-to-Site VPN. This intent of this guide is to explain the differences between these two types of access, how the technology works, and how to configure VPN on Meraki Go GX50s.

Note: Full Tunnel functionality is currently not supported.

Requirements

  1. A GX50 is required to use Client VPN
  2. Two or more GX50s are required for Site-to-Site VPN
    • Each GX50 must be in the same company to form a Site-to-Site VPN.

Configure Site-to-Site VPN

  1. Have multi-site configured (more than one GX50 managed by a single Meraki Go company).
  2. Enable Site-to-Site VPN via the settings menu: Settings -> Advanced Settings -> Site to Site VPN
    Screen Shot 2022-11-01 at 11.13.44 AM.png
  3. Choose which wired networks (VLANs) will participate in VPN.
    Screen Shot 2022-11-01 at 11.14.53 AM.png
  4. Save changes
  5. Repeat for all GX50 sites that desire VPN access.

What is VPN?

Virtual Private Networks (VPN) allow you to connect remote locations together over an encrypted channel. This might allow sending print jobs to a priner at an office, allow remote desktop connections, or create an easy path for sharing files between computers. The most common ways to use a VPN include Client VPNs and Site to Site VPNs.

What is Client VPN?

  • Client VPN is configured on all end devices (laptops, phones, computers).
  • Allows users to access printers, file shares, and computers connected to the GX50 with Client VPN enabled.
  • Username and password match your Meraki Go login credentials.

What is Site-to-Site VPN?  

  • Site to Site VPN is configured on the GX50.
  • Allows users from one GX50 location to access resources at another GX50 location.
  • No client device configuration necessary.

What is the VPN Registry?

How it works

In order for VPN setup to occur automatically, each GX participating in site-to-site VPN will contact the cloud VPN Registry. The VPN registry keeps a record of the public IP address and UDP port that each GX50 is using when making contact. The process for two or more GX50s to establish VPN connectivity works as follows:

  1. Each GX50 comes online and checks in with the cloud and downloads the configuration set in the mobile or web app.
  2. If site-to-site VPN is enabled, the GX50 will reach out to the VPN registry for two reasons:
    • Allow the VPN registry to learn the GX50's public IP address and UDP port for VPN
    • For the GX50 to learn about the public IP address and UDP port of it's peers in the site-to-site VPN.
  3. The GX50 directly connects to the public IP address and UDP port it learned from the VPN registry for any peers in the Meraki Go company.

clipboard_eee4557707e8b34375a60f53f2bb94f21.png

Status & Troubleshooting
VPN Registry is not connected

Connectivity to the VPN registry does not reflect connectivity between GX50s using site to site VPN. The VPN registry is used to learn contact information of participating GX50s, which then directly connect to each other.

However, if the VPN registry is always disconnected, the VPN tunnel will not work. Ensure that nothing is blocking UDP port 9350-9381 to the internet, which is the communication point for the VPN registry. The source port used by the GX50 is random, but can also be filtered or blocked. If that is the case, rebooting the GX50 will cause it to choose a new and random UDP port for VPN.

  • Was this article helpful?