Meraki VPN Setup Guide: Site-to-Site & Client VPN Configuration

Secure and reliable connectivity is essential for any distributed organization. This guide provides end-to-end instructions for configuring Meraki Site-to-Site and Client VPNs, including technical guidance, hardware mapping, and best practices for stability and security.

Table of Contents

• Part 1: VPN Scenarios & Decision Factors
• Part 2: Technical Implementation
• Part 3: Product & Deployment Mapping
• Part 4: Conclusion & Next Steps
• FAQ

Part 1: VPN Scenarios & Decision Factors

Meraki MX appliances support two main VPN types, each suited for different organizational needs.

Site-to-Site VPN Overview

Site-to-Site VPNs establish persistent encrypted connections between networks, such as corporate HQ and branch offices, or on-premises networks and cloud platforms. Meraki uses IPsec to secure these tunnels.

In summary, Site-to-Site VPNs provide reliable and secure connectivity for multiple locations or cloud integration.

Client VPN Overview

Client VPNs allow individual remote users to connect securely to the corporate network. Meraki supports two options:

• L2TP/IPsec (Legacy): Uses native OS clients with IPSec pre-shared keys. Android 12+ is unsupported.
• Cisco Secure Client (AnyConnect): Application-based VPN using TLS/DTLS protocols for modern OS compatibility. Requires AnyConnect v4.8+.

In summary, Client VPN provides secure remote access, with AnyConnect preferred for modern environments.

Choosing the Right VPN Type

• Site-to-Site VPN: Best for network-to-network connectivity or SD-WAN cloud integration.
• Client VPN (AnyConnect Preferred): Best for individual remote employees needing reliable connections.

Summary: Select VPN type based on the connectivity scenario and client OS requirements.

Part 2: Technical Implementation

This section provides step-by-step instructions for configuring Site-to-Site and Client VPNs, including security integration and troubleshooting.

Site-to-Site VPN Setup (Non-Meraki Peers)

For third-party or cloud platform integration, configure Non-Meraki VPN Peers using the following steps:

1. Enable VPN: Security & SD-WAN > Site-to-site VPN, set MX network as Hub.
2. Configure Health Checks for HA redundancy (e.g., http://service.sig.umbrella.com).
3. Primary Tunnel Configuration: IKEv2, Peer IP/Hostname, Shared Secret, Routing, Private subnets, Meraki probe IP 192.0.2.3/32, enable Tunnel Monitoring.
4. Secondary Tunnel (HA): Inherit primary configuration, define secondary datacenter IP and Tunnel ID.

In summary, this ensures secure, resilient Site-to-Site connectivity.

Client VPN Configuration

L2TP/IPsec

Enable under Client VPN, define VPN subnet, DNS, and Shared Secret. Users configure OS with server address and credentials.

Summary: L2TP/IPsec allows legacy client connections but may have compatibility limitations on newer devices.

Cisco Secure Client (AnyConnect)

1. Enable AnyConnect under Client VPN settings.
2. Configure server port, VPN subnet, and DNS.
3. Set routing: Full Tunnel or Split Tunnel.
4. Manage certificates: Auto-generated DDNS or custom hostname certificate.
5. Optional AnyConnect profile (.xml) for friendly hostname alias.

Summary: AnyConnect provides stable and secure remote connectivity across modern operating systems.

Security Integration

• Supports RADIUS, AD, SAML, and MFA (e.g., Duo).
• RADIUS timeout must be increased when using MFA.
• Apply Group Policies via RADIUS Filter-ID for access control.

Summary: Proper security integration ensures compliance and secure authentication for VPN users.

Troubleshooting

Common issues and solutions:

Summary: Refer to event logs and configuration checks to resolve connectivity issues.

Part 3: Product & Deployment Mapping

This section maps MX appliance models to VPN session capacities and deployment scenarios.

Summary: Select MX models according to user count and required VPN features. Check Router-switch for in-stock inventory and genuine products.

Part 4: Conclusion & Next Steps

VPN deployment success depends on careful planning of authentication, network stability, and hardware sizing. AnyConnect profiles and group policies enhance user experience. Leverage partners like Router-switch for global inventory, multi-brand procurement, and technical guidance.

FAQ

How to configure a Meraki Site-to-Site VPN?

Navigate to Security & SD-WAN > Site-to-site VPN, choose Hub mode, configure peer details and shared secret for non-Meraki peers, and enable Tunnel Monitoring.

How to set up Meraki Client VPN?

L2TP/IPsec: Configure under Client VPN with a shared secret. AnyConnect: Enable Cisco Secure Client, configure TLS/DTLS, server address, routing, and certificates.

What is the difference between Client VPN and Site-to-Site VPN?

Site-to-Site connects entire networks; Client VPN connects individual users to the corporate network.

Which MX model supports how many VPN connections?

Session limits vary: MX64/65 = 50, MX100 = 250, MX450 = 1,500 concurrent sessions.

How to integrate RADIUS/MFA with Meraki VPN?

Configure VPN to use RADIUS. For MFA, increase the RADIUS timeout to allow the second-factor authentication.

How to troubleshoot Meraki VPN connection issues?

Check RADIUS timeout, certificate chains, client protocol settings, and monitor event logs under Network-wide > Monitor > Event Log.

Can Meraki VPN connect to non-Meraki devices?

Yes, using standard IPsec protocols. MX can act as Non-Meraki VPN peer with IKEv2 and HA health checks.