- Cisco Meraki MX with software version 15.3 or later.
- A Cisco Umbrella SIG account.
- Navigate to Deployments > Core Identities > Network Tunnels and click Add.
- Give your tunnel a meaningful Tunnel Name.
- From the Device Type pull-down choose Meraki MX.
- Click Save and then enter a Tunnel ID and Passphrase.
- Click Save and then copy the Tunnel ID and Passphrase.
These are used later in the Meraki dashboard.
- Click Done.
- In the Meraki dashboard, navigate to Security & SD-WAN > Configure Site-to-site VPN, and select Hub (Mesh).
- In VPN Settings, select “Yes” for the new VLAN you created.
In Org-Wide Settings > Non-Meraki VPN Peers, click "Add a peer" and then add details from the Umbrella dashboard. (The values below may not match the Meraki defaults. Use the values shown here; the Meraki defaults are being updated.)
- Name—Provide a meaningful name for the tunnel
- IKE Version—Select IKEv2
- IPsec policies Choose the predefined Umbrella configuration, see Supported IPsec Parameters.
- Public IP—IP addresses are available here.
- Local ID—This string is available in the Umbrella dashboard once you have created a Network Tunnel Identity.
- Remote ID—Leave this blank.
- Private subnets—This is always 0.0.0.0/0 (all internet bound traffic is directed into the tunnels).
- Preshared secret—This is available in the Umbrella dashboard once you create a Network Tunnel Identity.
- Availability—Enter the tag you defined earlier for the MX appliance that will be building the tunnels to Umbrella.
- To tag the MX device associated with the tunnel, see Manage Tags.
- To create a VLAN for the subnet to redirect to Umbrella, see Configuring VLANs on the MX Security Appliance.
- To create a new SSID for the VLAN, see Configuring Simple Guest and Internal Wireless Networks.
Note: Cisco Meraki does not support policy based routing. It is not possible to do client side routing to determine if specific traffic belongs inside or outside the tunnel. However, it is possible to choose if an entire VLAN is tunneled to Umbrella or not.
Updated 22 days ago