Skip to main content

 

Cisco Meraki Documentation

Multi-Uplink IPsec VPN

  1. Last updated
  2. Save as PDF

Click 日本語 for Japanese

Multi-Uplink IPsec VPN

Overview

Multi Uplink IPsec VPN tunnels maximize your network's bandwidth and reliability by establishing simultaneous connections across all available uplinks to the same remote peer. Instead of using a primary and backup tunnel over a single uplink that may underutilize your available bandwidth, this feature creates multiple parallel IPsec VPN tunnels that work together to deliver enhanced performance and redundancy.

Prerequisites

  • MX running firmware 19.2.x

  • IKEv2

  • Routing set to “Static”. Dynamic/BGP not supported 

Feature

When Active Active IPsec is enabled, the system automatically establishes IPsec tunnels on every available uplink to your designated remote peer. Traffic is then intelligently load-balanced across all healthy tunnels, providing both performance gains and built-in redundancy. If any tunnel becomes unavailable, traffic seamlessly redistributes across the remaining active connections.

This feature is mainly for organizations seeking to maximize the bandwidth of multiple internet connections for Secure Internet use case to SSE PoPs.

Key Benefits

  • Increased Bandwidth: Aggregate bandwidth across multiple uplinks to achieve higher throughput.
     
  • Enhanced Reliability: Traffic automatically distributes across healthy tunnels, ensuring continued connectivity even if individual uplinks experience issues.
     
  • Optimized SASE/SSE Connectivity: Particularly valuable for organizations connecting to Secure Access Service Edge (SASE) or Security Service Edge (SSE) points of presence, where optimal bandwidth utilization is critical for user experience.
     
  • Intelligent Load Balancing: Traffic is automatically distributed across all active tunnels based on available bandwidth, optimizing resource utilization without manual intervention.

Enabling Multi-Uplink IPsec

This feature is mainly for Secure Internet use case with SASE/SSE providers. Considering traffic will be load balanced across all healthy tunnels, it’s important to ensure that the remote SASE/SSE peer sends the return traffic back through the tunnel it was received.  

Screenshot 2025-06-27 at 9.07.15 AM.png

To enable Multi Uplink IPsec:

  • Create or edit an IPsec peer
  • Enable Mutli-Uplink IPsec by toggling on Multi-Uplink IPsec VPN option on the peer side drawer as shown below.

Screenshot 2025-06-27 at 9.02.26 AM.png

Once Multi-Uplink IPsec is enabled, the same IPsec peer is established on other available WAN links. In the image above, an additional tunnel is formed on WAN2, with load balancing enabled by default over the active tunnels.

Load balancing behavior

Load balancing is only active when two or more tunnels are formed and healthy to the same remote peer. If only one tunnel is active to a remote peer, load balancing is disabled automatically.

Traffic is load balanced based on Source IP/Port and Destination IP/Port of the traffic routed. 

Failover behavior

Failover behavior remains the same as defined for Native Primary & Secondary IPsec feature

For Multi-Uplink IPsec failover, existing flows remain on their current tunnels, while new flows ride any newly formed tunnels. If only one active tunnel is available, all traffic will flow through the only active tunnel.

Screenshot 2025-06-27 at 11.27.05 AM.png

Screenshot 2025-06-27 at 11.28.33 AM.pngScreenshot 2025-06-27 at 11.29.09 AM.png

Tunnel Monitoring & Visibility

For Tunnel monitoring and visibility, see IPsec VPN Monitoring & Visibility

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.