In addition to the revolutionary Auto VPN solution, Meraki MX security appliances also offer the option for a direct L2TP/IPsec VPN connection for remote clients, referred to as Client VPN. This provides direct access to local resources hosted behind the MX to clients connecting remotely through the use of the built-in L2TP/IPsec functionality of the client by creating an encrypted tunnel directly between the client and the MX WAN. Client VPN allows the use of several different types of authentication, including Meraki cloud-hosted authentication, Active Directory, and RADIUS, to allow secure and easy integration with nearly any existing deployment.

Pro Tip

Google was the first to omit an L2TP VPN client (in the Android OS), and other companies are signaling that they intend do the same.

Cisco AnyConnect

In addition to Client VPN, Meraki security appliances also support the use of Cisco AnyConnect for remote client connectivity. This further simplifies the required configuration for remote clients through the use of the AnyConnect client to create an SSL-based VPN, removing the need to configure an L2TP/IPsec VPN directly on the end device. Additionally, this allows for the use of AnyConnect profiles, which can be a powerful tool for providing more advanced configurations to client devices such as backup server lists, authentication timeouts, ISE posturing, and more.

Pro Tip

The AnyConnect client option offers a richer feature set that is more robust than Client VPN from a security perspective. Consider this when deciding which VPN client method to support.

Non-Meraki VPN

When connecting to devices that are unable to utilize Meraki’s Auto VPN technology, such as to Meraki devices outside of the current organization or to non-Meraki devices via VPN, a more traditional approach is required to bring up the VPN connection.

Pro Tip

“Non-Auto VPN Configuration” would be an appropriate alternative title for this section, as tunnels to other Meraki devices outside of the Auto VPN topology must be configured here in addition to non-Meraki devices.

Located at the bottom of the Security & SD-WAN > Site-to-Site VPN page is the Organization-wide Settings section, in which you can configure two primary features: the site-to-site VPN outbound firewall and connections to any non-Meraki VPN peers.

The Non-Meraki VPN Peers section, shown in Figure 5-8, is where you can create more traditional IPsec VPN peer configurations. You can also scope each peer to have its peering configuration apply only to specific MX devices in one or more Dashboard networks in the organization through the use of network tags, as discussed in Chapter 2, “Building the Dashboard.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Explore More

Automated Topology Views – Building a Scalable Foundation with Dashboard – Cisco Meraki

Stepping down from the organization views into a specific network, Meraki’s integrated topology views can provide full-stack visibility for any Dashboard network containing MS switches. Using Cisco Discovery Protocol (CDP)

Network-wide Multicast Topology – Building a Scalable Foundation with Dashboard – Cisco Meraki

For networks that have multicast routing enabled, you can configure the Layer 3 Topology page to show the current multicast topology as an overlay on top of the existing Layer

Hub Prioritization – MX and MG Best Practices – Cisco Meraki

Meraki has worked to ensure that deploying Auto VPN is as simple as possible while still ensuring that you are able to perform more advanced configuration to fine-tune the deployment