Configuring Site-to-site VPN between MX Appliances in Different Organizations

Third-party VPN Configuration

Setting up a VPN tunnel between MXes in different orgs requires the use of the third-party VPN section of the MX Dashboard. This can be found under Security & SD-WAN > Configure > Site-to-site VPN > Non-Meraki VPN peers.

In both organizations, click the "Add a peer" link. Fill out this entry as if the other MX were a 3rd party device, where each field should be configured as follows:

• Name - Name of the remote peer (cosmetic).
• Public IP - The public IP address from which the remote MX can be contacted. This can be found on the remote MX in Dashboard under Security & SD-WAN > Monitor > Appliance status > Uplink > Configuration > General > Public IP:
  
   
• Private subnets - All subnets on the remote peer that will be participating in the VPN, in CIDR notation (e.g. 10.0.1.0/24). Can be found on the remote MX in Dashboard under Security & SD-WAN > Configure > Addressing & VLANs.
• IPsec policies - This should be kept default on both sides to avoid a mismatch. If a custom IPsec policy is configured for this tunnel on either peer, they must match exactly.
• Preshared secret - A custom passphrase for encryption purposes. Must match exactly on both MXes.
• Availability - Determines which MXes in the organization will be communicating with this peer. By default, all devices in an organization will establish tunnels with a third-party peer, however network tags can be used to limit these connections to a few networks.

This process would need to be repeated for each remote/local MX pair as desired. The image below shows an example of an MX to MX VPN connection when the devices are in different Organizations:

Additional Resources

For more information about site-to-site VPN tunnels and troubleshooting:

• Site-to-site VPN Settings
• Troubleshooting 3rd Party Site to site VPN
• Automatic NAT Traversal for IPsec tunneling between Cisco Meraki peers