Custom IPsec policies with Site-to-site VPN
When using a Cisco Meraki MX Security Appliance to create an IPsec VPN to a non-Meraki peer, multiple options are available for customizing the parameters of that VPN connection. For more information on site-to-site VPN functionality, please refer to our security appliance documentation. This article will specifically cover the options available when customizing IPsec parameters for a peer.
Note: Only customize the IPsec policies settings if required by the peer, and when the required settings are known. Modifying the parameters without proper planning can result in a VPN connection going down until correctly configured on both ends.
Overview
Site-to-site VPN settings are managed on the Security & SD-WAN > Configure > Site-to-site VPN page, and 3rd-party peers are located in the Organization-wide settings section. When configuring a peer, you can modify the IPsec policy settings by clicking the three dots on the right side, as demonstrated below.
Customizing and Presets
You can change the IPsec policies parameters for a peer by clicking the three dots on the right hand side to View the current settings. In the window that appears, a number of options are available.
The Preset selection allows easy setup of peers for some popular services, such as Azure and AWS. "Default" will reset the parameters to those used between Cisco Meraki peers, and "Custom" can be used for non-standard configurations.
The Phase 1 and Phase 2 sections can be customized as needed for peers that are not compatible with one of the existing presets. Fields allowing multiple options will present them as a list, and allow any or all of the options to be selected. When connecting with a peer, any of the selected options will be available when negotiating. It is important to remember that these settings must match on both ends of the VPN tunnel in order to establish correctly.
After changing the Preset section or modifying any of the Phase 1 or Phase 2 options,click Save.