IPSec VPN with Meraki VPN gateways

RansNet SD-WAN solutions can establish IPSec VPN tunnels with Meraki products using standard IPSec protocols. This interoperability is essential to complement customers’ legacy setup and/or enable business operations with multi-vendor networks. This document details how to set up VPN tunnels between RansNet and Meraki devices.

In many cases, the VPN topology is hub-and-spoke, and remote sites are connected to the Internet with dynamic IP addresses or 4G/5G, so only the hub site (Meraki) needs a static IP address.

In this example, we use a Meraki gateway as the VPN hub, and remote branches use RansNet SD-Branch (HSA/UA/CMG) routers. The same concept works for other brands of VPN gateways which may slightly differ in GUI/CLI settings only.

It’s important to note that all RansNet SD-WAN/SD-Branch routers also have firewall and VPN gateway capabilities. Each RansNet appliance can function as either a VPN gateway or branch router. We will have a separate document explaining how to set up RansNet as the VPN Gateway and other brands as the remote branches.

Configuration on Meraki VPN gateway

Other parts of Meraki settings are omitted here. The below steps show the required VPN and firewall settings on the Meraki gateway to establish VPN tunnels with RansNet branch routers.

Step 1Configure VPN network settingsLAN subnet range

.

Step 2 – Configure the IPSec VPN type.

NOTE


– Enable “NAT Traversal” if Meraki is behind another firewall with NAT.
– Most other parameters can just leave the default.

.

Step 3– Configure Non-Meraki VPN peers

  • Configure the ‘Name’ of the Non-Meraki VPN peers, IKE version, IPSec
  • Public IP can be configured as any network, Local ID
  • Private subnets – Remote local network participating in the VPN, preshared secret (case sensitive)

NOTE

– If Meraki is behind a firewall (with NAT), then the “Local ID” must be configured.

.

Step 4– Configure IPSec Policies – (Phase 1 & Phase 2)

.

Step 5Configure firewall rules to permit access and disable NAT for VPN tunnel traffic..

.

.

Configuration for RansNet Branch Routers

The branch routers can be connected over 4G/5G or broadband connections with static/dynamic IP addresses. In typical deployment scenarios, there’ll be many remote branch routers, and managing individual router configurations can be a challenge. Fortunately, we can still use the RansNet SD-WAN orchestrator (mfusion) to centrally provision and manage configurations for all routers, despite the hub being a 3rd-party VPN router.

In this case, we will provision a dummy gateway on mfusion and create an IPSec VPN instance to emulate Meraki VPN settings, and assign all branch routers to the gateway VPN instance, as we would do for SD-WAN provisioning. Then all routers’ VPN configurations will be centrally generated and pushed with just a few clicks.

Step 1– provision all branch routers and a dummy VPN gateway to mfusion. Refer to Provision Hosts for a detailed guide. The branch routers should be online after this step, user can view the status by navigating to ‘ORCHESTRATOR > Monitoring > Hosts‘ menu

Image: Ransnet provision host config
Image: Meraki VPN Gateway config

.

Step 2 – import hosts to mfusion orchestrator.

User can Import the dummy “Meraki_VPN_GW” host to the “Orchestrator → Gateway” menu, and select the ‘Empty‘ template from the topology template. The Status will show as “DOWN” but just ignore it.

Import the branch router to the “Orchestrator > SD-Branch” menu, select the ‘Default‘ template from the topology template (or copy it from other hosts if you already have existing configured hosts).

.

Step 3 – On the dummy VPN gateway, create an IPSec VPN instance to emulate Meraki VPN settings.

NOTE

– “Gateway IP” is the publicly accessible IP of the Meraki VPN gateway
– The “Gateway ID” must match the “Local ID” in Step #4 of Meraki (required if the gateway IP is NATed)
– Pre-shared key and Phase I & II security policies need to match with Meraki
– “Gateway Network” is the “Local Address” of Meraki

.

Step 4 – Assign all branch routers to the VPN instance and configure the branch (remote) network for each router.

NOTE

– If you have multiple branch routers, just assign them to the same VPN instance and change each router branch network setting
– However, on the Meraki side, please make sure to create respective “Phase 2 Selectors” for each remote branch and include the correct “Local Address” (Gateway Network) and “Remote Address” (Branch Network) settings.

.

Step 4 – Click the “Apply Config” button and all the required settings will be pushed to the branch routers. All branch routers will auto-initiate VPN tunnels to the Meraki gateway.

NOTE

Config push to the dummy VPN gateway will fail but you can safely ignore it.

.

Step 5 – Configure firewall access rules to permit VPN traffic across the tunnel ( User can configure a firewall template and apply it to all branch routers). Make sure firewall rules permit two-way communications. NAT is auto disabled for VPN tunnel networks, no special configuration is required.

.

Snip of CLI config pushed to RansNet branch router

!
firewall-access 200 permit all ip src 192.168.0.0/16 dst 192.168.0.0/16
!
ipsec ike-policy 2
 authentication psk
 policy AES-256 SHA-256 5
!
ipsec esp-policy 2
 policy AES-256 SHA-256 5
!
ipsec peer 48.128.58.71
 local-id 1c-40-e8-13-cb-8f
 local-net 192.168.98.1/24
 remote-id merakivpn.cmi
 remote-net 192.168.1.0/24
 policy ike 2 esp 2
 psk Letmein99