Skip to content

IPSec VPN with Cisco Meraki VPN Gateway

RansNet SD-WAN solutions can establish IPSec VPN tunnels with 3rd-party products using standard IPSec protocols. This interoperability enables hybrid deployments where RansNet branches connect to legacy VPN gateways, allowing multi-vendor networks without vendor lock-in. This document details how to configure IPSec VPN tunnels between RansNet branch routers and Cisco Meraki MX gateway series.

In typical hub-and-spoke deployments, only the hub (Meraki gateway) requires a static public IP address, while remote branches can connect over dynamic broadband, 4G, or 5G. The same configuration patterns apply to other VPN gateway vendors; only the GUI navigation and field names differ.

Note

All RansNet SD-WAN/SD-Branch routers (HSA, UA, CMG series) include both firewall and VPN gateway capabilities, so they can function as either VPN gateways or branch routers. See related documentation for RansNet-to-RansNet VPN setups, and IPSec VPN with Fortinet for similar setup with a Fortinet gateway.

Topology

IPSec VPN to Meraki

This document uses a hub-and-spoke topology where:

  • Hub: Cisco Meraki MX gateway with static public IP acting as the VPN gateway
  • Spokes: RansNet branch routers (HSA-520, UA-520, or CMG) connecting over dynamic or static WAN links
  • Network connectivity: All branches can reach the hub and each other through encrypted IPSec tunnels

Meraki Gateway Configuration

This section covers the required VPN and firewall settings on the Meraki gateway to establish IPSec tunnels with RansNet branch routers. Other Meraki configuration areas (system, interfaces, etc.) are assumed to be preconfigured and are omitted.

Step 1: Configure VPN Network Settings

Configure VPN network settings including the LAN subnet range on the Meraki gateway.

Meraki VPN Network Settings

Step 2: Configure IPSec VPN Type

Configure the IPSec VPN type and general parameters.

Meraki IPSec VPN Type

Note

  • Enable NAT Traversal if the Meraki gateway is behind a firewall with NAT
  • Most other parameters can remain at their defaults

Step 3: Configure Non-Meraki VPN Peers

Configure Non-Meraki VPN peer settings including: - Name — Identifier for the peer - IKE version — IKE protocol version - Public IP — Remote peer public IP address - Local ID — Local gateway identifier (required if behind NAT) - Private subnets — Remote networks participating in the VPN - Pre-shared secret — Shared authentication key (case sensitive)

Meraki VPN Peers

Note

If the Meraki gateway is behind a firewall with NAT, the Local ID must be explicitly configured.

Step 4: Configure IPSec Policies

Configure IPSec security policies for Phase 1 (IKE) and Phase 2 (IPSec) settings.

Meraki IPSec Policies

Step 5: Configure Firewall Rules

Configure firewall rules to permit VPN tunnel traffic and disable NAT for inter-site communications.

Meraki Firewall Rules

RansNet Branch Router Configuration

Branch routers can connect over dynamic broadband, 4G/5G, or static IP links. Rather than manually configuring each branch router individually, use the RansNet SD-WAN orchestrator (mfusion) to centrally provision and manage all branch VPN configurations. This approach creates a “dummy VPN gateway” on mfusion that emulates the Meraki settings, allowing mfusion to generate and push configuration to all branches with a few clicks.

Step 1: Provision Branch Routers and Dummy Gateway

  1. Provision all branch routers on mfusion (see Device Provisioning for details)
  2. Add a dummy VPN gateway to mfusion to emulate the Meraki gateway

mfusion Provisioning

Step 2: Create IPSec VPN Instance

On the dummy VPN gateway, create an IPSec VPN instance with settings that match the Meraki gateway.

mfusion VPN Instance

Note

  • Gateway IP — The publicly accessible IP address of the Meraki VPN gateway
  • Gateway ID — Must match the “Local ID” configured in Meraki Step 3 (required if the gateway IP is NATed)
  • Pre-shared Key — Must match the key configured on the Meraki gateway
  • Phase I & II Policies — Must match the IKE and IPSec policies on the Meraki gateway
  • Gateway Network — Must match the “Local Address” configured on the Meraki gateway

Step 3: Assign Branches to VPN Instance

Assign all branch routers to the VPN instance and configure each branch’s local network.

mfusion Branch Assignment

Note

For multiple branch routers, assign them all to the same VPN instance and configure each router’s unique branch network separately. On the Meraki side, ensure you create corresponding VPN peer for each branch router.

Step 4: Apply Configuration

Save and apply the configuration from mfusion.

Note

The configuration push to the dummy VPN gateway will fail (expected behavior — the gateway is not real). However, mfusion will successfully generate and push IPSec configuration to all assigned RansNet branch routers. On the Meraki side, ensure you create corresponding VPN peer for each branch router.

Step 5: Configure Firewall Rules on Branches

Configure firewall access rules on the branch routers to permit VPN tunnel traffic between the branch LAN and Meraki gateway network.

mfusion Firewall Configuration

You can create a firewall template and apply it to all branch routers. Ensure rules permit bidirectional communication between the branch network and Meraki gateway network. NAT is automatically disabled for VPN tunnel networks — no special configuration is required.

Verification

Verify that IPSec tunnels are established and configured correctly on RansNet branch routers.

Items to Test Command Expected Outcome
Routing to VPN gateway show ip route Branch router has a route to the Meraki VPN gateway IP (at minimum, a default route to ISP)
IPSec tunnel status show ipsec status IPSec tunnel shows UP status with established IKE and IPSec SAs (Security Associations)
Firewall rules show firewall access-list Firewall rules permit bidirectional traffic between branch LAN and Meraki gateway network
Connectivity to Meraki ping <meraki-lan-ip> source <branch-lan-ip> Ping succeeds with latency appropriate to internet link

Troubleshooting

Symptom Likely Cause Solution
IPSec tunnel stays DOWN IKE negotiation failed; pre-shared key mismatch; firewall blocking UDP 500/4500 Verify pre-shared key matches on both Meraki and RansNet. Check Meraki IKE logs. Verify firewall permits UDP 500 (IKE) and 4500 (NAT-T) to the Meraki gateway IP.
Tunnel UP but no traffic flows Phase 2 (IPSec) selectors misconfigured; firewall rules blocking traffic; NAT not disabled Verify Phase 2 selectors on Meraki match branch networks. On RansNet, check firewall rules permit traffic between branch LAN and Meraki network.
Partial connectivity (some branches work, others don't) Phase 2 selectors on Meraki missing for specific branches; remote network configuration mismatch On Meraki, verify an IPSec selector exists for each branch router. Ensure "Remote Address" on Meraki matches each branch's "Local Network" in mfusion.
Intermittent tunnel drops NAT-T not enabled if gateway behind NAT; firewall timeout on idle tunnels Enable NAT Traversal on Meraki if gateway is behind NAT. Check firewall doesn't timeout idle IPSec sessions.

Run show logging system to inspect IPSec negotiation and tunnel state change logs for detailed troubleshooting.

Example IPSec Configuration

Below is example CLI configuration generated by mfusion and pushed to a RansNet branch router:

!
ipsec ike-policy 2
 authentication psk
 policy AES-256 SHA-256 5
!
ipsec esp-policy 2
 policy AES-256 SHA-256 5
!
ipsec peer 48.128.58.71
 local-id 1c-40-e8-13-cb-8f
 local-net 192.168.98.1/24
 remote-id merakivpn.cmi
 remote-net 192.168.1.0/24
 policy ike 2 esp 2
 psk Letmein99
!

This configuration:

  • Defines IKE and IPSec security policies (AES-256 encryption, SHA-256 hashing)
  • Establishes a peer relationship with the Meraki gateway at 48.128.58.71
  • Protects traffic between the branch LAN (192.168.98.1/24) and Meraki gateway network (192.168.1.0/24)
  • Uses pre-shared key (PSK) authentication with the configured passphrase