Meraki Teleworker VPN enables administrators to extend the corporate LAN to employees at remote sites with Meraki AP’s without requiring client devices to have client VPN software installed and running. The experience of wireless clients connected to remote AP’s will be the same as though they were located at headquarters, with full corporate network access.
Teleworker VPN can be used to connect small branch offices (<5 people), teleworker or executive home offices, temporary site offices (eg. construction sites) and traveling employees on the road back to the corporate LAN and provide access to corporate resources back at headquarters.
A Meraki AP at a remote site establishes a layer 2 connection using an IPSec-encrypted UDP tunnel back to the corporate LAN. Tunnels are established on a per SSID basis, and terminate at headquarters on a Meraki virtual concentrator or MX security appliance.
Since most corporate LAN’s are located behind a firewall and NAT, the Meraki Cloud can negotiate a connection between the remote AP and the virtual concentrator across a NAT, or a manual port-forwarding method can be used to establish a connection.
Both wireless and wired client traffic at the remote site can be tunneled. Wired clients connected directly to a Meraki AP can have their traffic tunneled. For example, a ShoreTel IP phone can be plugged into the second Ethernet port on an MR12 AP and connect via the VPN tunnel to the corporate PBX.
Teleworker VPN is compatible with any Meraki Enterprise MR-series AP.
It is recommended that a separate network be created in Dashboard for each remote site location for purposes of manageability and usage tracking. Remote site networks should be created and access points added to the networks using the Quick Start guide. Get started by selecting “Create a network” from the network selector in Dashboard.
If creating multiple, similar remote networks such as retail store locations, identical networks can be quickly created by selecting “Copy settings from an existing network” during the quick start process. It is highly recommended that in this scenario, a single remote network is completely configured and then other networks are created by cloning this configuration.
VPN tunnels are configured on a per SSID basis. A typical configuration for a small branch office might be a tunneled SSID for corporate use that is copied from the headquarters network, with 802.1x authentication, bridge mode and custom firewall rules, and a second personal SSID with WPA2-PSK for personal and family use that is not tunneled. To select an SSID to be tunneled, select the concentrator to be used with the VPN drop-down selector on the Access Control page under the Configure tab in the remote site network.
To avoid all traffic from being tunneled to the concentrator in the main office, select tunnel type: “Split tunnel”. Then select the IP ranges and ports that you wish to tunnel back to the concentrator. All other traffic will use the local LAN or WAN connection. This can dramatically reduce the traffic load on the corporate network.
Wired traffic can be tunneled as well if an MR12 is used as a remote AP by connecting clients such as an IP phone or desktop computer to the Eth1 port. Wired client traffic will be tunneled if the port has been associated to an SSID that is tunneled. This setting can be found on the Network-wide Settings page under the Configure tab in the remote network.
No pre-provisioning of remote APs is required. Once a remote site network is created in Dashboard and APs are added to the network, the APs will automatically download their configurations once they are connected to the Internet.