Non-Meraki VPN peers with default route


You can create Site-to-site VPN tunnels between the MX appliance and Cloudi-Fi VPN endpoint
under the Non-Meraki VPN peers section in Security Appliance > Configure > Site-to-site
VPN page.

First, choose which Meraki network will be forwarded in the IPSec tunnel :

Then simply click "Add a peer" and enter the following information:
· A name for your VPN tunnel.
· The public IP address of the peer IP which has been communicated in your onboarding document.
· The hub should be configured as a default route for the Spoke (option to select), e.g 0.0.0.0/0
should be specified as a default route to this peer.
· The IPsec policy to use.
· The preshared secret key (PSK) which has been communicated in your onboarding document.
IPsec policies
Use the Custom policy option to manually configure the IPsec policy

In case you have a dynamic public IP, you have to contact the Meraki support to activate a feature allowing you tu use a FQDN as VPN identifier.
Once the feature activated, you will have a new field named "User FQDN" for the VPN configuration:

Monitoring site-to-site VPN

You can monitor the status of the site-to-VPN tunnels between your Meraki devices by clicking Security Appliance > Monitor > VPN Status. This page provides real-time status for the configured Meraki site-to-site VPN tunnels. It lists the subnet(s) being exported over the VPN, connectivity information between the MX appliance and the Meraki VPN registry, NAT Traversal information, and the encryption type being used for all tunnels. Additionally, the Site connectivity list provides the following information for remote Meraki VPN peers:

Name of the remote Meraki VPN peer.

Subnets that are being advertised over the VPN by the remote peer device.

Status (whether the peer is currently reachable).

Round-trip packet latency over the VPN (in milliseconds).

Last time a heartbeat packet was sent to determine the status of the VPN tunnel (in seconds).

More troubleshooting details: https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Peers

Did this answer your question?