Skip to main content
Cisco Meraki Documentation

MX and Umbrella SIG IPSec Tunnel


Umbrella SIG (Secure Internet Gateway) is a cloud-based security solution designed for branch offices. This article outlines how to configure Umbrella SIG between the Umbrella dashboard and a Meraki MX Security and SD-WAN device. This solution provides centralized management for security so network administrators do not have to separately manage security settings for each branch. All internet-bound traffic will be forwarded to Umbrella SIG through an IPSec tunnel for inspection and filtering. 


Screen Shot 2019-09-13 at 2.20.40 PM.png

Use Case 

If network administrators desire a cloud managed security solution to alleviate the inconvenience of separately managing security settings at each branch location, Umbrella SIG is the perfect solution.


Umbrella SIG offers security features such as:

  • DNS Policies
  • Firewall Policies
  • Web Policies

Please visit Umbrella's documentation for a comprehensive guide to Umbrella SIG features.


  1. The Umbrella SIG Essentials package is required. Please visit Umbrella for more package information.
  2. The Meraki MX requires MX 15.12+ firmware, on which users are able to configure the Non-Meraki VPN Peer with the two following Umbrella requirements:
    1. Choose IKE version type on each Non-Meraki VPN Peer. When choosing IKEv2, the "Local ID" field will be enabled. The User FQDN info needs to be added into this field.
    2. On IPSec policies, choose "Diffie-Hellman group" 14.


To establish an IPSec tunnel to Umbrella, configurations must be made on both Umbrella Dashboard and Meraki Dashboard.

Umbrella Dashboard

In the Umbrella dashboard, navigate to Deployments > Network Tunnels > select Add


Screen Shot 2019-09-17 at 2.41.27 PM.png


Name the tunnel and select Device Type > Meraki MX.




Set the Tunnel ID and Passphrase. This will be entered as the Local ID (User FQDN) and preshared secret in the Meraki dashboard.


Screen Shot 2019-09-17 at 2.46.17 PM.png


After setting the Tunnel ID and Passphrase, a confirmation prompt will be displayed, allowing you to copy and paste the Tunnel ID and Passphrase to Local ID (User FQDN) and Preshared secret in the Meraki dashboard.


Screen Shot 2019-09-17 at 3.02.42 PM.png

Meraki Dashboard

Navigate to Security & SD-WAN > Configure > Site-to-site VPN > Select desired subnets to participate in VPN.



In the Security & SD-WAN > Configure > Site-to-site VPN > Non-Meraki VPN peers section, select Add a peer.


Screen Shot 2019-09-17 at 3.12.04 PM.png


For the Non-Meraki VPN peers fields:

  • Name: Provide any sample name for the tunnel
  • Public IP: You will find this IP address in the article at
  • Local ID: You will get this string from Umbrella dashboard once you have completed creating a Network Tunnel Identity using PSK.
  • Private subnets: This will always be You will be redirecting all internet bound traffic into the tunnels.
  • IPSec policies: Choose Preset of “Umbrella”.  This will populate all of the IPSec tunnel parameters necessary for Umbrella connectivity.
  • Preshared secret: You will get this string from Umbrella dashboard once you have completed creating a Network Tunnel Identity using PSK.
  • Availability: You will add the Tag here that you had defined earlier for the MX appliance that will be building the tunnels to Umbrella cloud. 


Verification of the Umbrella IPSec parameters can be viewed by selecting Umbrella



Lastly, you will have to generate interesting traffic through the tunnel in order for the Umbrella dashboard to reflect active tunnel status. To generate interesting traffic, simply source pings from a VPN-participating VLAN (navigate to Security & SD-WAN > Monitor > Appliance Status > Tools) to a destination IP address that would take the IPSec tunnel route.

VLAN 1 IP Ping.png


Meraki dashboard displaying an active Umbrella SIG IPSec tunnel (Security & SD-WAN > Monitor > VPN Status) should look like the following:


Screen Shot 2019-09-17 at 4.25.57 PM.png


Umbrella Dashboard displaying an active IPSec tunnel to Meraki MX (Deployments > Network Tunnels) should look like the following:


Screen Shot 2019-09-17 at 4.23.45 PM.png



To validate traffic being sent to over the tunnel to SIG vs traffic not being sent over the tunnel we can connect to a network on a VLAN that is participating in tunnel and one that is not to observe the difference.


For this test we used the below configuration where the Default VLAN1 is not participating in VPN and the SIG VLAN10 is participating. This configuration can be viewed under Security & SD-WAN > Configure > Site-to-site VPN.




Using a Wireless capable MX68CW two SSIDs were created. One on VLAN1 and the other on VLAN10.




When a device connects to the SSID SIG1, it receives an IP on VLAN10.




When the device accesses the Internet, the traffic will have a NAT address from Umbrella.




When a device connects to the SSID DIA, it receives an IP on VLAN1.




When the device accesses the Internet, the traffic will have a NAT address from the MX Internet Interface.




  • Was this article helpful?