Configuring Meraki To Azure Site-To-Site-VPN Tunnels

Create Azure Virtual network

  • Sign-in to Azure portal.
  • In Search resources, service, and docs (G+/), type virtual network.
  • Select Virtual Network from the Services results.
  • On the Virtual Network page, select Create.
  • Once you select Create, the Create virtual network page opens.
  • On the Basics tab, configure Project details and Instance details VNet settings.
    When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are auto filled, which you can replace with your own values:

    >> Subscription: Select Pay-As-You-Go.
    >> Resource group: Select the existing (Create new) Resource group AZ-DR01.
    >> Name: Type AZ-DR01-VNet1.
    >> Region:
  • Click Next: IP Address.
  • On the IP Addresses tab, configure the values.
    IPv4 address space: Type 10.15.0.0/16.
  • Click +Add subnet.
    >> Subnet name: type FrontEnd.
    >> Subnet address range: 10.15.1.0/24.
    >> Services: Keep the default settings (0 selected)
  • Click Add.
  • Click Next: Security.
  • On the Security tab, at this time, leave the default values:
    >> BastionHost: Disable.
    >> DDoS Protection Standard: Disable.
    >> Firewall: Disable.
  • Click Next: Tags.
  • On the Tags tab, leave the default values.
  • Click Next: Review + create.
  • After the settings have been validated, select Create.
  • Make sure the new VNet deployment is complete without issues, click Go to resource.

Create Azure VPN Gateway:

  • In Search resources, service, and docs (G+/), type virtual network gateway.
  • Select Virtual network gateway from the Services results.
  • On the Basics tab, configure Project details and Instance details and Public IP address for Virtual network gateway settings.
    >> Subscription: Select Pay-As-You-Go.
    >> Name: Type AZ-DR01-VNet1-GW1.
    >> Region: Select Canada Central.
    >> Gateway type: Select VPN.
    >> VPN type: Select Route-Based.
    >> SKU: Select VpnGW1 (Bandwidth:650Mbps)
    >> Virtual network: Select AZ-DR01-VNet1.
    >> Gateway subnet address range: Type 10.15.255.0/27
    >> Public IP address: Leave Create new selected.
    >> Public IP address name: AZ-DR01-VNet1-GW1-Public-IP
    >> Assignment: VPN gateway supports only Dynamic.
    >> Enable Active-Active mode: Select Disabled.
    >> Configure BGP ASN: Select Disabled.
  • Click Next: Tags.
  • On the Tags tab, leave the default values.
  • Click Next: Review + create.
  • After the settings have been validated, select Create.
  • Make sure the new Virtual network gateway deployment is complete without issues, click Go to resource.

Create Azure Local Network Gateway:

  • In Search resources, service, and docs (G+/), type virtual network gateway.
  • Select Local network gateway from the Services results.
  • Click Create local network gateway.
  • On the Create local network gateway page, specify the values for your local network gateway.
    >> Name: Type OFFICECalgary.
    >> IP address: Type OFFICE-Calgary WAN IP address (208.230.42.114).
    >> Address Space: add 192.168.0.0/22 and 172.16.200.0/24 and 172.16.250.0/24.
    >> Configure BGP settings: Use only when configuring BGP. Otherwise, don't select this.
    >> Subscription: Select Pay-As-You-Go.
    >> Resource Group: Select AZ-DR01.
    >> Location: Select Canada Central.
  • Click Create.

Create VPN connection:

  • On the Azure Services page, click the new create Virtual network gateway.
  • On the Virtual network gateway page, select Connections.
  • On the Connections page, click +Add.
  • On the Add connection page, configure the values for your connection.
    >> Name: Type AZ-DR01-VNet1toOFFICECalgary
    >> Connection type: Select Site-to-site(IPSec).
    >> Virtual network gateway: The value is fixed because you are connecting from this gateway.
    >> Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.
    >> Click the OFFICECalgary local network gateway.
    >> Shared Key: Type Azure
    >> IKE Protocol: Select IKEv2
    >> Resource Group: Select AZ-DR01
  • Click OK.

Settings at Meraki site:

  • Sign-in to Cisco Meraki portal.
  • Select Security & SD-WAN, click Site-to-site VPN.
  • On the Site-to-site VPN field, select Hub.
  • On the VPN settings field, select the local networks that you want to connect to Azure and then select VPN on.
  • On the Organization-wide settings page, click add a peer in the Non-Meraki VPN peers.
  • On the Non-Meraki VPN peers, configure details settings.
    >> Name: Type ToAzure
    >> IKE Version: Select IKEv2
    >> IPsec Policies: Click Default and then change Default to Azure
    >> Click Update.
    >> Public IP: Type Azure Virtual Network Gateway Public IP address (53.139.26.221)
    >> Private subnets: Type 10.15.0.0/16
    >> Preshared secret: Type Azure.
    >> Availability: select All Networks.
  • Click Save Changes.

Verify the VPN connection:

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection.

  • In the Azure portal menu, select All resources or search for and select All resources from any page.
  • Select to the virtual network gateway.
  • On the blade for the virtual network gateway, click Connections. You can see the status of each connection.

In the Meraki portal, you can view the VPN status of a Meraki by navigating to the Non-Meraki peer.

  • Sign-in Meraki portal.
  • Select Security & SD-WAN, click VPN Status.
  • Click Non-Meraki peer.
  • Make sure the Status light show green.

CONFIGURING MERAKI TO AWS SITE-TO-SITE-VPN TUNNELS

Create a VPC:

  • After logging into AWS go to the 'Services' area (top bar) and select the 'VPC' service. This will bring you to a status page about the Networking configured for your AWS environment. Select 'Your VPCs' on the left-hand side.
  • Select the 'Create VPC' button. This will allow you to create a Virtual Private Cloud where accessible resources on AWS will live. Enter a name and a CIDR block.
  • You'll be taken back to the 'Your VPCs' page where there will be a new element based on what you just created.

Allocate a subnet:

  • On the left-hand side of the VPC Service screen there is a menu bar. Under the 'Virtual Private Cloud' header there is an option for 'Subnets'. Select the 'Subnets' option.
  • On the configuration screen select the 'Create subnet' button.
  • On the following 'Create subnet' screen, provide a descriptive name, select the VPC we just made, and provide a subset of the total space allocated for the VPC.
  • You'll be brought back to the Subnets configuration screen when this is complete.

Configure the VPN connection on AWS's side:

  • On the left-hand bar within the VPC service screen there is a heading entitled VPN Connection. Within this area select the 'Customer Gateways' option.
  • Assign the Customer Gateway a name, keep the Routing as Dynamic and in IP address slot place the IP address of your Meraki device. Select 'Create Customer Gateway' when ready.
  • To find your Meraki devices IP address open the Meraki dashboard and select 'Security appliance' ->'Appliance Status'. In this photo the number hidden with the blue box is the public IP of the Meraki device.
  • On the left-hand bar within the Customer Gateways service screen there is a heading entitled VPN Connections. Within this area select the 'Virtual Private Gateway' option.
  • Select the button entitled 'Create Virtual Private Gateway'.
  • In the configuration screen choose a name and leave the ASN as 'Amazon default ASN' (unless you have specific a BGP configuration). Select the 'Create Virtual Private Gateway' button. When complete you should be moved back to the Virtual Private Gateway Configuration Screen with a new element list.
  • Select the checkbox next to the new element and find the 'Action' button at the top. Click it and select 'Attach to VPC'.
  • You'll be brought to a new screen. Select the VPC you created. Then select the 'Yes, Attach' button. You'll be taken back to the Virtual Private Gateway configuration screen.
  • On the left-hand bar within the Virtual Private Gateway service screen there is a heading entitled VPN Connection. Within this area select the 'VPN Connections' option.
  • Select the button entitled 'Create VPN Connection'.
  • In the Create VPN Connection window select a Name, the VPN Gateway we just created from the list, the existing customer gateway ID of the Virtual Private Gateway we just configured, and specify 'static' as the routing option. For Static IP Prefixes put the internal subnet used by your Meraki Device. Leave the rest blank and when finished select the 'Create VPN Connection' button. You can find this subnet on the Meraki Dashboard under 'Security Appliance' -> 'Addresses & VLANs' in the 'Routing' section.
  • Once this is created it will be in a 'pending' state for a bit while Amazon allocates it. After a few minutes it should switch to an 'available' state. Once it reaches that state, select the checkbox next to the newly created resource and select the 'Download Configuration' button. Save this file for the next step.
  • On the left-hand bar within the VPN Connections service screen there is a heading entitled 'Virtual Private Cloud'. Within this area select the 'Route' Tables option. Select the checkbox next to the route table associated with the VPC you've created.
  • On the lower pane a configuration menu will appear. Select the 'Route Propagation' tab and select the 'Edit' button. Then check the 'Propagate' checkbox next to the Virtual Private Gateway listed.

Configure the VPN connection on Meraki's side:

  • In your Meraki Dashboard navigate to site-to-site VPN options under Security appliance->Site-to-site VPN.
  • Under type, select Hub (Mesh).
  • Under the VPN settings sub header find the networks that you'd like to enable the site-to-site routing for and select 'yes' under the 'Use VPN' column.
  • Leave NAT traversal as automatic.
  • Leave OSPF advertisements disabled.
  • Under the Organization-wide settings sub header find 'Non-Meraki VPN peers'. Select the 'Add a peer' link.
  • Fill out the new peer link information based on the downloaded file.
    First give the connection a descriptive name.
    Then, using the information from the downloaded file, find the 'Outside IP Address' of the 'Virtual Private Gateway'. Place this value in the Public IP field.
    For private subnets put the subnet address you allocated back in step 2.
    Under IPsec policies, click 'default'. This will open a new configuration menu. At the top select from the 'Choose a Preset' dropdown -'AWS'. Hit Update when this is complete.
    Find the Pre-Shared Key row within the downloaded file and copy the pre-Shared key into the Meraki configuration area.
  • Save your Changes.

E. Note: while making a request to a host on the other side of the Site-to-Site VPN, it will take a few attempts for the request to complete while the tunnel is initialized. The more traffic sent across the tunnel the less likely this lag is to occur as the tunnel will stay up. This often leads to people writing quick ping scripts that send a ping every couple second to keep the tunnel up.

Configuring Meraki To GCP Site-To-Site VPN

Meraki Dashboard Configuration:

  • Add license(s) to the Meraki dashboard:
    To complete the vMX Meraki dashboard configuration, a vMX license must be available for use in your organization.

    If your organization has already reached its vMX license limit, you will be unable to create new vMX networks until a vMX network is deleted or additional vMX licensing added.

    If you do not have access to a vMX license or require additional vMX licenses, please reach out to your Meraki reseller or sales representative.
  • Create a 'Security Appliance' Network Type.
  • Assign vMX type to network
    Once you have created the 'Security appliance' network and added the appropriate license you will be able to deploy a new vMX to your network by clicking on the 'Add vMX' button.
  • Generate the authentication token
    After you add the new vMX to your network, navigate to Security Appliance > Appliance status and select 'Generate authentication token' to generate the token for the GCP vMX Authentication Token field.
  • Copy the newly generated token and save it.
    The newly generated token will be used in the "New Cisco Meraki vMX deployment" configuration section when creating a new instance.

Google Cloud Setup:

  • You must have the following before you begin:
  • -Google Cloud VPC network.

Deploying the vMX:

  • Access the Cisco Meraki vMX offer by clicking here or search for "Meraki" in the GCP marketplace to find the vMX solution.
  • Click Launch on the vMX offer landing page.
  • Enter a Deployment Name for the instance.
  • Choose the desired Zone.
  • Select the c2-standard-4 vMX instance size. This is the only instance size currently offered for vMX on GCP.
  • Paste the vMX Authentication token you copied from the Meraki dashboard in the steps earlier to the vMX Authentication Token field.
  • The Boot Disk options can remain as-is.
  • Under the Network section select the desired Network, Subnetwork and External IP for this instance. The External IP field can be left as Ephemeral (if you would like to let GCP assign a public IP to the vMX itself) or set to None (if you would like to have a private IP on the vMX and have it egress through an upstream device like a firewall or Google Cloud NAT instance). You do not need to add more network interfaces to the VM as it is a single interface appliance.
  • Click Deploy.

Additional VPC Configuration:

The virtual MX appliance will allow for site-to-site VPN connectivity using Auto VPN between GCP and other remote MXs. In order to have proper bidirectional communication between remote subnets that are terminating into GCP via the vMX and hosts within GCP, the VPC routing table must be updated for the remote Auto VPN-connected subnets.

  • Navigate to VPC Networks > Routes from the GCP console and select Create Route.
  • Specify a Name and Description for the route.
  • Select the Network that your vMX is deployed in.
  • In the Destination IP range, add the routes available via Auto VPN.
  • Select the Specify an instance option for the next hop and select the vMX instance as the Next hop instance.

Firmware Version:

In order for the vMX to function on GCP it must be running 16.8+ firmware.

Token Validity:

  • Navigate to Compute Engine > VM Instances, click on the vMX in question and click on Stop to turn it off.
  • Click Edit.
  • Scroll down to the Custom Metadata section and update the value in the token field.
  • Click Save and then click Start to power the vMX back up.

Confirming Cloud Reachability:

By default, HTTP traffic inbound to the vMX is disabled for security purposes. You can enable inbound HTTP traffic to the vMX (for accessing the local status page) by performing the following:

  • Navigate to Compute Engine > VM Instances, click on the vMX in question and click Edit (you do not need to turn off the instance for this change).
  • Scroll down to the Firewalls section and select the box next to Allow HTTP traffic.
  • Click Save.
  • On the VM instance details page copy the External IP that was assigned to the instance.
  • On the local status page you can find the health status of the vMX and whether it is successfully able to connect to the Meraki cloud or not.

No "Add vMX" Button:

When navigating to Security & SD-WAN > Appliance Status, if there is no "Add vMX" button, please ensure the following two conditions are met:

  • You have available vMX licenses in your license pool.
  • You have created a 'Security appliance' network type.

Key Concepts:

  • Concentrator Mode:
    All MXs can be configured in either NAT or VPN concentrator mode. There are important considerations for both modes.
  • One-Armed Concentrator:
    In this mode, the MX is configured with a single Ethernet connection to the upstream network. All traffic will be sent and received on this interface. This is the only supported configuration for MX appliances serving as VPN termination points into Google Cloud.
  • NAT Mode Concentrator:
    In this mode the MX is configured with a single Ethernet connection to the upstream network and one Ethernet connection to the downstream network. VPN traffic is received and sent on the WAN interfaces connecting the MX to the upstream network and the decrypted, unencapsulated traffic is sent and received on the LAN interface that connects the MX to the downstream network.

VPN Topology:

  • Split Tunnel:
    In this configuration, branches will only send traffic across the VPN if it is destined for a specific subnet that is being advertised by another MX in the same Dashboard organization. The remaining traffic will be checked against other available routes, such as static LAN routes and third-party VPN routes, and if not matched will be NATed and sent out the branch MX unencrypted.
  • Full Tunnel:
    In full tunnel mode all traffic that the branch or remote office does not have another route to is sent to a VPN hub.
Copyrights © 10 October 2024 All Rights Reserved by Vast Edge Inc.