Automatic NAT traversal is the default method used to establish a secure IPsec tunnel between Cisco Meraki VPN peers. This method relies on the Cloud to broker connections between remote peers automatically. It is the preferred method because it works well even when peers are located on different private networks protected by a firewall and NAT.
Site-to-site VPN connections between MX Security Appliances and/or Z1 Teleworker Gateways will automatically form a mesh topology between all VPN-enabled peers in the same Dashboard organization by default. This is often undesirable because such connections establish unnecessary IPSec tunnels between remote sites and create performance-degrading networking overhead.
All MX security appliances within the same organization will be able to use our AutoVPN feature to establish a Site-to-site VPN between themselves. However, if two MX Security Appliances are in separate organizations, they will not be able to set up an automatic VPN. They must be configured as if they were non-Meraki peers. This article outlines the basic configuration steps necessary to establish a site-to-site VPN tunnel between MX devices in different organizations.
Many enterprise networks have existing MPLS circuits that connect locations. However if the MPLS goes down, the connection to a remote location is lost. MX Security Appliances can be placed in these networks to dynamically fail over to a VPN connection via a secondary Internet connection.
When using a Cisco Meraki MX Security Appliance to create an IPsec VPN to a non-Meraki peer, multiple options are available for customizing the parameters of that VPN connection. For more information on site-to-site VPN functionality, please refer to our security appliance documentation. This article will specifically cover the options available when customizing IPsec parameters for a peer.
IPSec VPNs using IKE utilize lifetimes to control when a tunnel will need to re-establish. When these lifetimes are misconfigured an IPSec tunnel will still establish but will show connection loss when these timers expire. This article will cover these lifetimes and possible issues that may occur when they are not matched.
The Netgear Prosafe can form a site-to-site VPN with a Meraki MX series security appliance. The easiest way to configure this is by logging onto your Netgear Prosafe via a web browser and clicking on the VPN Wizard found on the left hand side of the page under VPN. This will display text informing you that several defaults are assumed during the wizard and that these can be adjusted by clicking VPN Settings after the wizard has completed. Click the Next button to begin the configuration.
Administrators have the ability to add firewall rules to restrict the traffic flow through the VPN tunnel for a Cisco Meraki MX Security Appliance. These firewall rules will apply to all MX networks in the organization that participate in the auto site-to-site VPN and 3rd party VPN endpoints.
Failover is a feature built into the MX series to keep a constant connection in the event of Primary link failure. Failover occurs when the primary uplink of the MX is unable to reach the internet. The VPN connection of the MX always goes out the Primary interface, as configured under Security Appliance > Configure > Traffic shaping. In the event of primary link failure, the MX will tear down the existing VPN tunnel and attempt to negotiate a new tunnel with the remote VPN peer.
Meraki Site-to-Site VPN makes it easy to connect remote networks and share network resources. In the event that VPN fails or network resources are inaccessible, there are several places to look in Dashboard to quickly resolve most problems. This article will overview common site-to-site VPN issues and recommended troubleshooting steps.
Cisco Meraki product lines offer various types of VPN options for small office and/or remote deployments. Each option is recommended for a different type of scenario, ranging from a single client, to several wired and wireless clients. If you have a complex requirement not covered below, please contact your Cisco Meraki account executive to discuss what would be the best fit for your particular needs.
When several Z1 Teleworker Gateways are deployed to establish Site-to-site VPN tunnels to an MX in Concentrator Mode, a static route for each VPN connection needs to be configured on the MX's default gateway. However, configuring one static route per device is inconvenient for large-scale Z1 deployments. Using Route Summarization, this task can be accomplished with one route if configured correctly.
Cisco Meraki VPN peers can use Automatic NAT Traversal to establish a secure IPsec tunnel through a firewall or NAT. When ACLs on an upstream firewall block source ports or more likely the case destination UDP ports in the range 32768-61000 on outbound traffic, a peer will not be able to punch a hole in the firewall and establish a tunnel with other remote peers.
The MX Security Appliance provides the ability to configure VPN tunnels to third-party devices. This article describes third-party VPN considerations, required configuration settings, and how to troubleshoot third-party VPN connections.
When using VPN functionality to securely tunnel traffic between Cisco Meraki devices, such as the MX Site-to-site VPN, or MR Teleworker VPN, the devices must first register with the Dashboard VPN registry. This allows their connections between each other to be dynamic, and automatically establish without manual configuration. However, sometimes issues can occur with this process, which will be discussed in this article.
Cisco Meraki MX security appliances support the OSPF routing protocol to advertise remote VPN subnets to neighboring layer 3 devices. This feature is useful in topologies where a large number of VPN subnets makes configuring static routes impractical. This article outlines the prerequisites and configuration necessary for OSPF on the MX platform.
Sometimes, remote devices connected via Site-to-site VPN use the same overlapping local subnets on their networks. When administrators try to connect overlapping subnets using Site-to-site VPN, devices will not be able to communicate with each other across the tunnel.
The Watchguard XTM can form a site-to-site VPN with a Meraki MX series security appliance. To do this login in to Watchguard by connecting to its IP address via a web browser. On the left hand side click on VPN->Branch Office VPN. Under the Gateways tab click Add to give the gateway a name that will be meaningful to you and easy to remember.
No articles with the article type topic could be found.