Home > Wireless LAN > Client Addressing and Bridging > MR Teleworker VPN

MR Teleworker VPN

Meraki Teleworker VPN enables administrators to extend the corporate LAN to employees at remote sites with Meraki AP’s without requiring client devices to have client VPN software installed and running. The experience of wireless clients connected to remote AP’s will be the same as though they were located at headquarters, with full corporate network access. 

Typical Use Cases

Teleworker VPN can be used to connect small branch offices (<5 people), teleworker or executive home offices, temporary site offices (eg. construction sites) and traveling employees on the road back to the corporate LAN and provide access to corporate resources back at headquarters. 

How it Works

A Meraki AP at a remote site establishes a layer 2 connection using an IPSec-encrypted UDP tunnel back to the corporate LAN. Tunnels are established on a per SSID basis, and terminate at headquarters on a Meraki virtual concentrator or MX security appliance. 

Since most corporate LAN’s are located behind a firewall and NAT, the Meraki Cloud can negotiate a connection between the remote AP and the virtual concentrator across a NAT, or a manual port-forwarding method can be used to establish a connection.

Both wireless and wired client traffic at the remote site can be tunneled. Wired clients connected directly to a Meraki AP can have their traffic tunneled. For example, a ShoreTel IP phone can be plugged into the second Ethernet port on an MR12 AP and connect via the VPN tunnel to the corporate PBX.

Teleworker VPN is compatible with any Meraki Enterprise MR-series AP. 

Creating Teleworker Networks

It is recommended that a separate network be created in Dashboard for each remote site location for purposes of manageability and usage tracking. Remote site networks should be created and access points added to the networks using the Quick Start guide. Get started by selecting “Create a network” from the network selector in Dashboard. 

If creating multiple, similar remote networks such as retail store locations, identical networks can be quickly created by selecting “Copy settings from an existing network” during the quick start process. It is highly recommended that in this scenario, a single remote network is completely configured and then other networks are created by cloning this configuration. 

Configure SSIDs to Tunnel

VPN tunnels are configured on a per SSID basis. A typical configuration for a small branch office might be a tunneled SSID for corporate use that is copied from the headquarters network, with 802.1x authentication, bridge mode and custom firewall rules, and a second personal SSID with WPA2-PSK for personal and family use that is not tunneled. To select an SSID to be tunneled, select the concentrator to be used with the VPN drop-down selector on the Access Control page under the Configure tab in the remote site network. 

Configure Split Tunnel

To avoid all traffic from being tunneled to the concentrator in the main office, select tunnel type: “Split tunnel”. Then select the IP ranges and ports that you wish to tunnel back to the concentrator. All other traffic will use the local LAN or WAN connection. This can dramatically reduce the traffic load on the corporate network. 

Tunneling Wired Client Traffic

Wired traffic can be tunneled as well if an MR12 is used as a remote AP by connecting clients such as an IP phone or desktop computer to the Eth1 port. Wired client traffic will be tunneled if the port has been associated to an SSID that is tunneled. This setting can be found on the Network-wide Settings page under the Configure tab in the remote network. 

Configuring Remote APs

No pre-provisioning of remote APs is required. Once a remote site network is created in Dashboard and APs are added to the network, the APs will automatically download their configurations once they are connected to the Internet. 

You must to post a comment.
Last modified
16:43, 7 Sep 2017

Tags

Classifications

This page has no classifications.

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community