In addition to the revolutionary Auto VPN solution, Meraki MX security appliances also offer the option for a direct L2TP/IPsec VPN connection for remote clients, referred to as Client VPN. This provides direct access to local resources hosted behind the MX to clients connecting remotely through the use of the built-in L2TP/IPsec functionality of the client by creating an encrypted tunnel directly between the client and the MX WAN. Client VPN allows the use of several different types of authentication, including Meraki cloud-hosted authentication, Active Directory, and RADIUS, to allow secure and easy integration with nearly any existing deployment.
Pro Tip
Google was the first to omit an L2TP VPN client (in the Android OS), and other companies are signaling that they intend do the same.
Cisco AnyConnect
In addition to Client VPN, Meraki security appliances also support the use of Cisco AnyConnect for remote client connectivity. This further simplifies the required configuration for remote clients through the use of the AnyConnect client to create an SSL-based VPN, removing the need to configure an L2TP/IPsec VPN directly on the end device. Additionally, this allows for the use of AnyConnect profiles, which can be a powerful tool for providing more advanced configurations to client devices such as backup server lists, authentication timeouts, ISE posturing, and more.
Pro Tip
The AnyConnect client option offers a richer feature set that is more robust than Client VPN from a security perspective. Consider this when deciding which VPN client method to support.
Non-Meraki VPN
When connecting to devices that are unable to utilize Meraki’s Auto VPN technology, such as to Meraki devices outside of the current organization or to non-Meraki devices via VPN, a more traditional approach is required to bring up the VPN connection.
Pro Tip
“Non-Auto VPN Configuration” would be an appropriate alternative title for this section, as tunnels to other Meraki devices outside of the Auto VPN topology must be configured here in addition to non-Meraki devices.
Located at the bottom of the Security & SD-WAN > Site-to-Site VPN page is the Organization-wide Settings section, in which you can configure two primary features: the site-to-site VPN outbound firewall and connections to any non-Meraki VPN peers.
The Non-Meraki VPN Peers section, shown in Figure 5-8, is where you can create more traditional IPsec VPN peer configurations. You can also scope each peer to have its peering configuration apply only to specific MX devices in one or more Dashboard networks in the organization through the use of network tags, as discussed in Chapter 2, “Building the Dashboard.”