• Cisco Meraki’s unique auto provisioning site-to-site VPN connects branches securely with complete simplicity. Using IPsec over any wide area network, the MX links your branches to headquarters as well as to one another as if connected with a virtual Ethernet cable.
• When using Meraki hosted authentication, VPN account/user name setting on client devices (e.g., PC or Mac) is the user email address entered in the Dashboard. Open Start Menu Network and Sharing Center and click Settings.

On the Meraki MX, the configuration for “Non-Meraki VPN peers” is under: Security Appliance Site-to-site VPN Organization-wide settings Non-Meraki VPN peers. Here you can give a name, the WAN IP of the VPN peer, the private subnets of the remote site, the IPSec policies for phases 1 and 2 the pre-shared secret key and the.

The VPN:
The Meraki client VPN uses the L2TP tunneling protocol and can be deployed on PC’s, Mac’s, Android, and iOS devices without additional software as these operating systems natively support L2TP.

The Encryption Method:
Along with the L2TP/IP protocol the Meraki client VPN employs the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase 2. Best practice dictated that the shared secret should not contain special characters at the beginning or end.

Enabling Client VPN:
Select Enabled from the Client VPN server pull-down menu on the Security Appliance -> Configure -> Client VPN page. You can then configure the following options:

• Client VPN Subnet: The subnet that will be used for Client VPN connections. This should be a private subnet that is not in use anywhere else in your network. The MX will be the default gatway on this subnet and will route traffic to and from this subnet.
• DNS Nameservers: The servers VPN Clients will use to resolve DNS hostnames. You can choose from Google Public DNS, OpenDNS, or specifying custom DNS servers by IP address.
• WINS: If you want your VPN clients to use WINS to resolve NetBIOS names, select Specify WINS Servers from the drop-down and enter the IP addresses of the desired WINS servers.
• Secret: The shared secret that will be used to establish the Client VPN connection.
• Authentication: How VPN Clients will be authenticated.
• Systems Manager Sentry VPN Security: Configuration settings for whether devices enrolled in systems manager should receive a configuration to connect to the Client VPN.

Authentication:
The VPN uses both pre-shared key based authentication and user authentication. To set up the user authentication mechanism, you will need to select your authentication method.

Meraki Cloud Authentication:
Use this option if you do not have an Active Directory or RADIUS server, or if you wish to manager your VPN users via the Meraki cloud. To add or remove users, the User Management section at the bottom of the page. Add a user by selecting “Add new user” and entering the following information:

Meraki Mx Vpn Apk

• Name: Enter the user’s name
• Email: Enter the user’s email address
• Password: Enter a password for the user or select “Generate” to automatically generate a password
• Authorized: Select whether this user is authorized to use the Client VPN

In order to edit an existing user, click on the user under User Management section. To delete a user, click the X next to the user on the right side of the user list. When using Meraki hosted authentication, the user’s email address is the username that is used for authentication.

RADIUS:
Use this option to authenticate users on a RADIUS server. Click Add a RADIUSserver to configure the server(s) to use. You will need to enter the IP address of the RADIUS server, the port to be used for RADIUS communication, and the shared secret for the RADIUS server.

Active Directory:
Use this option if you want to authenticate your users with Active Directory domain credentials. You will need to provide the following information:

• Short Domain: The short name of your Active Directory domain.
• Server IP: The IP address of an Active Directory server on the MX LAN.
• Domain Admin: The domain administrator account the MX should use to query the server.
• Password: Password for the domain administrator account.

For example, considering the following scenario: You wish to authenticate users in the domain test.company.com using an Active Directory server with IP 172.16.1.10. Users normally log into the domain using the format ‘test/username’ and you have created a domain administrator account with the username ‘vpnadmin’ and the password ‘vpnpassword’.

• The Short domain would be ‘test’.
• The Server IP would be 172.16.1.10
• The Domain admin would be ‘vpnadmin’
• The Password would be ‘vpnpassword’.

At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

Systems Manager Sentry VPN Security:
When using Meraki cloud authentication, Systems Manager Sentry VPN security can be configured. If your Dashboard organization contains one or more MDM networks. Systems Manager Sentry VPN security allows for your devices enrolled in Systems Manager to receive the configuration to connect to the Client VPN through the Systems Manager profile on the device.

To enable Systems Manager Sentry VPN security, choose Enabled from the Client VPN server pulldown menu on the Security Appliance -> Configure -> Client VPN page. You can configure the following options:

• Install Scope: The install scope allows you to select a set of Systems Manager tags for a particular MDM network. Devices with these tags applied in a Systems Manager network will receive a configuration to connect to this network’s Client VPN server through their Systems Manager profile.
• Send All Traffic: Select whether all client traffic should be sent to the MX.
• Proxy: Whether a proxy should be used for this VPN connection. This can be set to automatic, manual, or disabled.

When using Systems Manager Sentry VPN security, the username and password used to connect to the client VPN are generated by the Meraki cloud. Usernames are generated based on a hash of unique identifier on the device and the username of that device. Passwords are randomly generated.

Setting up site-to-site VPN

Site-to-site VPN settings are accessible through the Security & SD-WAN > Configure > Site-to-site VPN page.

Type

There are three options for configuring the MX-Z's role in the Auto VPN topology:

• Off: The MX-Z device will not participate in site-to-site VPN.
• Hub (Mesh): The MX-Z device will establish VPN tunnels to all remote Meraki VPN peers that are also configured in this mode, as well as any MX-Z appliances in hub-and-spoke mode that have the MX-Z device configured as a hub.
• Spoke: This MX-Z device (spoke) will establish direct tunnels only to the specified remote MX-Z devices (hubs). Other spokes will be reachable via their respective hubs unless blocked by site-to-site firewall rules.

Hub Type

Exit Hubs

This option is only available if the MX-Z device is configured as a Hub. This option lets you designate the remote MX-Z device that is to receive all network traffic from the local MX-Z device. This creates a Full Tunnel configuration where all traffic destined for a default route is sent to the specified MX.

Security features over full-tunnel VPN

In a full tunnel topology, all security and content filtering must be performed on the full tunnel client. The Exit hub will not apply Content Filtering, IPS blocking, or Malware Scanning to traffic coming in over the VPN. However, IDS scanning will be performed for this traffic.

Spoke Type

Hubs

When an appliance is configured as a Spoke, multiple VPN Hubs can be configured for that appliance. In this configuration, the Spoke MX-Z device will send all site-to-site traffic to its configured VPN hubs.

Default Route

When configuring Hubs for a Spoke, there is an option to select a hub as being a Default route. If this option is selected, then that hub will be configured as a default route for the Spoke (0.0.0.0/0). Any traffic that is not sent to a configured VPN peer network, static route or local network will be sent to the default route. Multiple hubs can be selected as default routes. Hubs marked as default routes take priority in descending order (first priority at the top).

Configuring multiple VPN hubs

To add additional hubs, click the 'Add a hub' button just below the existing hub that is selected. Please note that only appliances in Mesh VPN mode can be hubs, so the number of Mesh VPN appliances in your Dashboard organization represents the maximum number of hubs that can be configured for any given appliance.

The order in which hubs are configured on this page is the hub priority. Hub priority is used to determine which hub to use if more than one VPN hub is advertising the same subnet. The uppermost hub that meets the following criteria will be used to reach that subnet.

A) Advertises the subnet

B) Currently reachable via VPN

Hubs can be deleted by clicking on the grey 'X' to the right of the relevant hub under the Actions column. The hub priority list can be reordered by clicking and dragging the grey four-point arrow icon to the right of any hub in the list to move that hub up or down.

Tunneling

There are two tunneling modes available for MX-Z devices configured as a Spoke:

• Split tunnel (no default route): Send only site-to-site traffic, meaning that if a subnet is at a remote site, the traffic destined for that subnet is sent over the VPN. However, if traffic is destined for a network that is not in the VPN mesh (for example, traffic going to a public web service such as www.google.com), the traffic is not sent over the VPN. Instead, this traffic is routed using another available route, most commonly being sent directly to the Internet from the local MX-Z device. Split tunneling allows for the configuration of multiple hubs.
• Full tunnel (default route): The configured Exit hub(s) advertise a default route over Auto VPN to the spoke MX-Z device. Traffic destined for subnets that are not reachable through other routes will be sent over VPN to the Exit hub(s). Exit hubs' default routes will be prioritized in descending order.

Concentrator priority

The concentrator priority determines how appliances in Hub (Mesh) mode will reach subnets that are advertised from more than one Meraki VPN peer. Similarly to hub priorities, the uppermost concentrator in the list that meets the following criteria will be used for such a subnet.

A) Advertises the subnet

B) Currently reachable via VPN

It is important to note that concentrator priorities are used only by appliances in Meshmode. An appliance in Hub-and-Spoke mode will ignore the concentrator priorities and will use its hub priorities instead.

NAT Traversal

If the MX-Z device is behind a firewall or other NAT device, there are two options for establishing the VPN tunnel:

• Automatic: In the vast majority of cases, the MX-Z device can automatically establish site-to-site VPN connectivity to remote Meraki VPN peers even through a firewall or NAT device using a technique known as 'UDP hole punching'. This is the recommended (and default) option.
• Manual: Port forwarding: If the Automatic option does not work, you can use this option. When Manual: Port forwarding is enabled, Meraki VPN peers contact the MX-Z device using the specified public IP address and UDP port number. You will need to configure the upstream firewall to forward all incoming traffic on that UDP port to the IP address of the MX-Z device.

Make sure the port number you have chosen is not already used by another service. For example, do not use port 500 or 4500 as these are used for Client VPN and 3rd party VPN peer communication.

If you have multiple LAN subnets, you have the option to specify which VLANs and static routes participate in the VPN.

The same subnet can only be advertised from more than one appliance if all appliances advertising that subnet are in Passthrough or VPN Concentratormode. All subnets advertised from an appliance in Routed mode must be unique within the Auto VPN topology.

Subnets to which the MX-Z device has Static LAN routes can also be advertised over the VPN. If you choose to advertise a statically routed subnet over the VPN, ensure that the gateway device for each subnet is configured to route traffic for remote VPN subnets to the MX-Z device, in order to keep your routing symmetrical.

In full tunnel configurations when specifying a prefix to be part of a VPN, everything covered by that prefix will be allowed in the VPN. Therefore, subnets that overlap will cause traffic in a more specific subnet to be sent through the VPN, even if it is not configured to be included in the VPN. For example, if 10.0.0.0/16 is configured to be included in the VPN but 10.0.1.0/24 is not, traffic sourced from 10.0.1.50 will still be sent over the VPN.

VPN Subnet Translation

This feature is not enabled by default, please contact Meraki support to enable it.

Moreover, this feature is only supported for Auto VPN and is not intended to work with non-Meraki VPN peers.

In large distributed networks, multiple networks may have identical subnet scopes (i.e. overlapping subnets). Site-to-site VPN communication requires each site to have distinct and non-overlapping local subnets. In the event that multiple locations have the same local subnet, enable VPN subnet translation to translate the local subnet to a new subnet with the same number of addresses.

Subnet Translation Example

• Branch 1 local subnet: 192.168.31.0/24
• Branch 2 local subnet: 192.168.31.0/24 (identical!)
• Branch 1 translated subnet: 10.0.1.0/24
• Branch 2 translated subnet: 10.0.2.0/24

OSPF route advertisement

While the MX Security Appliance does not currently support full OSPF routing, OSPF can be used to advertise remote VPN subnets to a core switch or other routing device, avoiding the need to create static routes to those subnets. OSPF advertisement is only supported in VPN Concentrator mode.

Advertise remote routes: If this is set to Enabled, OSPF will be used to advertise remote VPN subnets as reachable via this concentrator.

Router ID: The OSPF Router ID that this concentrator will use to identify itself to neighbors

Area ID: The OSPF Area ID that this concentrator will use when sending route advertisements.

Meraki Mx Vpn Client Setup

Cost: The route cost attached to all OSPF routes advertised from this concentrator.

Hello timer: How frequently the concentrator will send OSPF Hello packets. This should be the same across all devices in your OSPF topology.

Dead timer: How long the concentrator will wait to see Hello packets from a particular OSPF neighbor before considering that neighbor inactive

MD5 Authentication: If this is enabled, MD5 hashing will be used to authenticate potential OSPF neighbors. This ensures that no unauthorized devices are injecting OSPF routes into the network.

Authentication Key: The MD5 key number and passphrase. Both of these values must match between any devices that you wish to form an OSPF adjacency.

You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click 'Add a peer' and enter the following information:

• A name for the remote device or VPN tunnel.
• What IKE version to use (IKEv1 or IKEv2)*
• The public IP address of the remote device.
• The Remote ID of the remote peer. This is an optional configuration and can be configured to the remote peer’s UserFQDN (e.g. user@domain.com), FQDN (e.g. www.example.com) or IPv4 address as needed.
  • Which of these values you use is dependent upon your remote device. Please consult its documentation to learn what values it is capable of specifying as its remote ID, and how to configure them (e.g. crypto isakmp identity for ASA firewalls)
• The subnets behind the third-party device that you wish to connect to over the VPN. 0.0.0.0/0 can also be specified to define a default route to this peer.

  • Note that if an MX-Z device is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.

• The IPsec policy to use.
• The preshared secret key (PSK).
• Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.

*IKEv2 requires firmware version 15.12 or greater

Meraki Mx Vpn Anyconnect

NOTE For IKEv2

Meraki Appliances build IPsec tunnels by sending out a request with a single traffic selector that contains all of the expected local and remote subnets. Certain vendors may not support allowing more than one local and remote selector in a given IPsec tunnel (e.g. ASA 5500-X series firewalls running certain firmware releases); for such cases, please use IKEv1 instead.

An MX-Z device will not try to form a VPN tunnel to a non-Meraki peer if it does not have any local networks advertised.

IPsec policies

There are three preset IPsec policies available.

• Default: Uses the Meraki default IPsec settings for connection to a non-Meraki device
• AWS: Uses default settings for connecting to an Amazon VPC
• Azure: Uses default settings for connecting to a Microsoft Azure instance

If none of these presets are appropriate, the Custom option allows you to manually configure the IPsec policy parameters. These parameters are divided into Phase 1 and Phase 2.

Phase 1

• Encryption: Select between AES-128, AES-192, AES-256, and 3DES encryption
• Authentication: Select MD5, SHA1 or SHA256* authentication
• Diffie-Hellman group: Select between Diffie-Hellman (DH) groups 1, 2, and 5
• Lifetime (seconds): Enter the phase 1 lifetime in seconds

*SHA256 requires firmware version 15.12 or greater

Phase 2

• Encryption:Select between AES-128, AES-192, AES-256, and 3DES encryption (multiple options can be selected)
• Authentication:Select between MD5 and SHA1 authentication (both options can be selected)
• PFS group: Select the Off option to disable Perfect Forward Secrecy (PFS). Select group 1, 2, or 5 to enable PFS using that Diffie Hellman group.
• Lifetime (seconds): Enter the phase 2 lifetime in seconds

Meraki Vpn Settings

Meraki Mx Vpn Extension

On May 8th 2018, changes were introduced to deprecate DES for encryption. Click here for more information.

NOTE: Please ensure the phase 2 lifetimes are equal on both ends of the tunnel whenever possible. While MX's can sometimes honor a shorter phase 2 lifetime if they're acting in response to build a tunnel, they cannot while serving as the initiator of the tunnel.

Peer availability

By default, a non-Meraki peer configuration applies to all MX-Z appliances in your Dashboard Organization. Since it is not always desirable for every appliance you control to form tunnels to a particular non-Meraki peer, the Availability column allows you to control which appliances within your Organization will connect to each peer. This control is based on network tags, which are labels you can apply to your Dashboard networks.

When 'All networks' is selected for a peer, all MX-Z appliances in the organization will connect to that peer. When a specific network tag or set of tags is selected, only networks that have one or more of the specified tags will connect to that peer.

More information on network tags can be found here.

VPN Firewall Rules

Meraki Mx Vpn Throughput

You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from from all MX-Z appliances in the Organization that participate in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.