Cisco Secure Access Meraki SD-WAN Configuration Guide

Gather Details from Cisco Secure Access Portal

Information can be taken from the CSV downloaded from step 5 above or from the Data for Tunnel Setup page seen below:  

On the Meraki Network, Navigate to Site-to-site VPN settings through the Security & SD-WAN > Configure > Site-to-site VPN page.

There are three options for configuring the MX-Z's role in the Auto VPN topology:

• Off: The MX-Z device will not participate in site-to-site VPN.

• Hub (Mesh): The MX-Z device will establish VPN tunnels to all remote Meraki VPN peers that are also configured in this mode, as well as any MX-Z appliances in hub-and-spoke mode that have the MX-Z device configured as a hub.

• Spoke: This MX-Z device (spoke) will establish direct tunnels only to the specified remote MX-Z devices (hubs). Other spokes will be reachable via their respective hubs unless blocked by site-to-site firewall rules.

Select Hub (Mesh) to enable AutoVPN as this is recommended for the MX peering with the non-Meraki/Cisco Secure Access.
 

You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and Cisco Secure Access under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

• Name—Provide a meaningful name for the tunnel. 

• IKE Version—Select IKEv2. 

• IPsec policies—Choose the predefined Umbrella configuration, see Supported IPsec Parameters. 

  

• Public IP—IP address to connect to Secure Access Network Tunnel Group Primary Data Center IP

• Local ID—The Primary Tunnel ID for the Network Tunnel Group. 

• Remote ID—Leave this blank

• Private subnets— Configure a default route 0.0.0.0/0

• ​​Preshared secret—The Passphrase for the Network Tunnel Group created in Secure Access

• Availability— Add network tag for the MX network appliance that should build the tunnel to Secure Access. "All Networks" tag will configure all MXs in your Dashboard Organization to establish a tunnel to Secure Access

• Click Update & Save

Non-Meraki VPN Firewall 

You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from all MX-Z appliances in the Organization that participate in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.

Event Logs  

If you have any issues or would like to know more about the Cisco Secure Access peering details, navigate to Network-wide > Monitor > Event log 

• Select Event type Include - Non-Meraki VPN Negotiation

 Packet Captures   

The following options are available for a packet capture on MX/Z platforms:

• Appliance: The appliance the capture will run on.

• Interface: Select the interface to run the capture on; the interface names will vary depending on the appliance configuration. A few examples of interfaces you may see are:

  • Internet 1 or Internet 2 - Capture traffic on one active WAN uplink.  Internet 2 will only appear if there is a second WAN link. 

  • LAN - Captures traffic from all LAN ports

  • Cellular - Captures cellular traffic from the integrated cellular interface.  This does not apply to USB modems.

  • Site-to-Site VPN - Captures AutoVPN traffic (MX/Z to MX/Z only).  This does not apply to Non-Meraki VPN peers.

• Output: Select how the capture should be displayed; view output or download .pcap.

• Verbosity: Select the level of the packet capture (only available when viewing the output directly to Dashboard).

• Ignore: Optionally ignore capturing broadcast/multicast traffic.

• Filter expressions: Apply a capture filter.

To capture packets, select the WAN interface and use the filter expressions for UDP 500 for Phase 1 or UDP 4500 for Phase 2.