Home > Security Appliances > Site-to-site VPN > Configuring Site-to-site VPN between MX Appliances in Different Organizations

Configuring Site-to-site VPN between MX Appliances in Different Organizations

All MX security appliances within the same organization will be able to use our AutoVPN feature to establish a Site-to-site VPN between themselves. However, if two MX Security Appliances are in separate organizations, they will not be able to set up an automatic VPN. They must be configured as if they were non-Meraki peers.

This article outlines the basic configuration steps necessary to establish a site-to-site VPN tunnel between MX devices in different organizations.

Third-party VPN Configuration

Setting up a VPN tunnel between MXes in different orgs requires the use of the third-party VPN section of the MX Dashboard. This can be found under Security appliance > Configure > Site-to-site VPN > Non-Meraki VPN Peers.

In both organizations, click the "Add a peer" link. Fill out this entry as if the other MX were a 3rd party device, where each field should be configured as follows:

  • Name - Name of the remote peer (cosmetic).
  • Public IP - The public IP address from which the remote MX can be contacted. Can be found on the remote MX in Dashboard under Security appliance > Monitor > Appliance status > Public IP:

     
  • Private subnets - All subnets on the remote peer that will be participating in the VPN, in CIDR notation (e.g. 10.0.1.0/24). Can be found on the remote MX in Dashboard under Security appliance > Configure > Addressing & VLANs.
  • IPsec Policies - Should be kept default on both sides to avoid a potential mismatch. If a custom IPsec policy is configured for this tunnel on either peer, they must match exactly.
  • Preshared secret - A custom passphrase for encryption purposes. Must match exactly on both MXes.
  • Availability - Determines which MXes in the organization will be communicating with this peer. By default, all devices in an organization will establish tunnels with a third-party peer, however network tags can be used to limit these connections to a few networks.

This process would need to be repeated for each remote/local MX pair as desired. The image below shows an example of an MX to MX VPN connection when the devices are in different Organizations:

 

Additional Considerations

Since this VPN tunnel is functionally the same as a tunnel to a third-party peer, the same restrictions and caveats apply, including the following notable caveats:

  • The VPN tunnel can only function as split tunnel, not full tunnel.
  • Limited visibility on the VPN Status Page.
  • MXes cannot share static routes to a 3rd party peer, only local subnets.

Additional Resources

For more information about site-to-site VPN tunnels and troubleshooting:

You must to post a comment.
Last modified
15:17, 18 Feb 2016

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 1316

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case