When using a Cisco Meraki MX Security Appliance to create an IPsec VPN to a non-Meraki peer, multiple options are available for customizing the parameters of that VPN connection. For more information on site-to-site VPN functionality, please refer to our security appliance documentation. This article will specifically cover the options available when customizing IPsec parameters for a peer.
Note: Only customize the IPsec policies settings if required by the peer, and when the required settings are known. Modifying the parameters without proper planning can result in a VPN connection going down until correctly configured on both ends.
Site-to-site VPN settings are managed on the Security & SD-WAN > Configure > Site-to-site VPN page, and 3rd-party peers are located in the Organization-wide settings section. When configuring a peer, the IPsec policies column will indicate what parameters are currently configured, and can be clicked on for additional detail. Below is an example peer with the default policy.
Customizing and Presets
To change the IPsec policies for a peer, click on the link in that column, which indicates the current settings. In the window that appears, a number of options are available.
The Preset selection allows easy setup of peers for some popular services, such as Azure and AWS. "Default" will reset the parameters to those used between Cisco Meraki peers, and "Custom" can be used for non-standard configurations.
The Phase 1 and Phase 2 sections can be customized as needed for peers that are not compatible with one of the existing presets. Fields allowing multiple options will present them as a list, and allow any or all of the options to be selected. When connecting with a peer, any of the selected options will be available when negotiating. It is important to remember that these settings must match on both ends of the VPN tunnel in order to establish correctly.
After changing the Preset section or modifying any of the Phase 1 or Phase 2 options, click Update. Then click Save Changes.