Understanding Meraki Auto VPN for Site-to-Site Connectivity

Connecting multiple office locations, warehouses, retail sites, or remote branches over a secure network has traditionally been one of the most complex and expensive undertakings in business IT. Conventional site-to-site VPN configurations require specialist networking expertise, careful manual configuration of IPsec tunnels, meticulous firewall rule management, and ongoing maintenance to keep connections stable and secure. For many UK businesses with multiple sites, this complexity has been a significant barrier to establishing reliable inter-site connectivity.

Cisco Meraki Auto VPN changes this equation entirely. Built into every Meraki MX security appliance, Auto VPN creates encrypted site-to-site connections automatically — with minimal configuration and without requiring deep networking expertise. What traditionally took hours or days of specialist configuration can be achieved in minutes through the Meraki cloud dashboard, making secure multi-site connectivity accessible to businesses of all sizes.

This guide explains how Meraki Auto VPN works, its advantages over traditional VPN approaches, and how UK businesses can leverage it to build secure, reliable networks across multiple locations.

How Traditional Site-to-Site VPN Works

To appreciate why Meraki Auto VPN is transformative, it helps to understand the traditional approach to site-to-site VPN and its inherent challenges.

A traditional IPsec VPN tunnel between two sites requires manual configuration on both ends. The network engineer must configure matching IKE (Internet Key Exchange) parameters — including encryption algorithm, hashing algorithm, Diffie-Hellman group, and authentication method — on both firewalls. They must define the traffic that should traverse the tunnel using access control lists (ACLs). They must configure NAT exemptions to prevent the tunnel traffic from being translated. They must manage pre-shared keys or certificates. And they must ensure that the public IP addresses on both sides are correctly referenced and reachable.

For a two-site configuration, this is manageable — two endpoints, one tunnel, one set of parameters. But for organisations with multiple sites, the complexity grows exponentially. Connecting five sites in a full mesh requires ten individual tunnels. Connecting ten sites requires forty-five tunnels. Each tunnel must be individually configured, tested, and maintained. When a firewall is replaced, an IP address changes, or a parameter needs updating, every related tunnel must be reconfigured.

This complexity means that traditional multi-site VPN is typically the domain of senior network engineers — expensive specialists whose time is better spent on strategic projects than maintaining VPN configurations. For UK SMEs without dedicated networking staff, traditional site-to-site VPN has often been impractical or unaffordable.

How Meraki Auto VPN Works

Meraki Auto VPN eliminates the manual complexity of traditional VPN by automating the entire tunnel establishment process through the Meraki cloud dashboard. When you deploy a Meraki MX appliance at a new site and configure it for Auto VPN, the following happens automatically.

The MX appliance registers with the Meraki cloud and reports its public IP address and network configuration. The Meraki cloud acts as a VPN registry, maintaining a real-time directory of all MX appliances in your organisation, their IP addresses, and their VPN configuration. When you designate a site as a VPN participant through the dashboard, the cloud distributes the necessary VPN parameters — encryption keys, IP addresses, and routing information — to all relevant appliances.

Each MX appliance uses these parameters to establish encrypted IPsec tunnels to the other sites automatically. There are no pre-shared keys to manage manually, no ACLs to configure, no NAT exemptions to create, and no matching parameters to align across devices. The cloud handles all of this orchestration behind the scenes.

The result is that connecting a new site to your VPN mesh takes minutes rather than hours. You plug in the MX appliance, connect it to the internet, and configure its VPN role in the dashboard. Within minutes, it has established encrypted tunnels to all other sites, routes are propagated, and traffic flows securely between locations.

VPN Topologies: Hub-and-Spoke vs Full Mesh

Meraki Auto VPN supports multiple network topologies, and choosing the right one depends on your organisation's traffic patterns and requirements.

Hub-and-Spoke: In this topology, branch sites (spokes) connect to one or more central sites (hubs), but do not connect directly to each other. All inter-branch traffic routes through the hub. This is the most common topology for organisations with a central head office hosting shared resources — file servers, line-of-business applications, or internet breakout — that branches need to access. It minimises the number of tunnels and simplifies traffic management, but creates a dependency on the hub for all inter-site communication.

Full Mesh: Every site connects directly to every other site. This provides the most efficient routing — traffic between two branches travels directly without detouring through a hub — but requires more tunnels and more bandwidth at each site. Meraki Auto VPN makes full mesh practical even for large numbers of sites, as tunnel establishment is automatic.

Hybrid: A combination where regional hubs connect to each other in a full mesh, and branch sites within each region connect to their regional hub in a spoke arrangement. This balances efficiency with manageability and is well-suited to UK businesses with regional offices and multiple branch locations.

SD-WAN Integration

Meraki Auto VPN is tightly integrated with Meraki's SD-WAN (Software-Defined Wide Area Network) capabilities, providing intelligent path selection across multiple internet connections. If your sites have dual WAN links — for example, a primary leased line and a secondary broadband connection — SD-WAN automatically selects the best path for each type of traffic based on real-time performance metrics.

For VPN traffic, SD-WAN can monitor the health of each WAN link and automatically failover VPN tunnels if the primary link degrades or fails. This happens seamlessly and without manual intervention — users at branch sites continue working without interruption even if a WAN link fails, because the VPN tunnel automatically re-establishes over the secondary link within seconds.

SD-WAN also enables traffic shaping and application-aware routing. You can configure policies that prioritise voice and video traffic over the VPN tunnel while routing bulk data transfers over a secondary link. This ensures consistent quality of experience for real-time applications like Microsoft Teams, even when large file transfers are consuming bandwidth simultaneously.

Security Considerations

Every Auto VPN tunnel uses AES 256-bit encryption — the same standard used by governments and military organisations worldwide. Key exchange is handled through IKEv2 with perfect forward secrecy, ensuring that even if a key is compromised, past and future communications remain secure.

Beyond the tunnel encryption, each MX appliance functions as a next-generation firewall, providing intrusion detection and prevention (IDS/IPS), content filtering, malware scanning, and application-level visibility. This means that traffic flowing between sites through Auto VPN tunnels is not only encrypted in transit but also inspected for threats at each site boundary.

For compliance purposes, the centralised Meraki dashboard provides complete visibility into VPN tunnel status, traffic flows, and security events across all sites. This is valuable for demonstrating compliance with frameworks such as Cyber Essentials, ISO 27001, and PCI DSS, all of which require evidence of encrypted inter-site communications and network segmentation.

Real-World UK Deployment Scenarios

To illustrate the practical application of Meraki Auto VPN, consider these common scenarios faced by UK businesses.

Professional Services Firm with Multiple Offices: A law firm with offices in London, Manchester, and Birmingham needs all staff to access a central document management system hosted in the London office. Using Meraki Auto VPN in a hub-and-spoke topology with London as the hub, Manchester and Birmingham staff access the system seamlessly over encrypted tunnels. The firm later opens a satellite office in Leeds — they ship an MX appliance, plug it in, and within 15 minutes the Leeds team has secure access to the same systems.

Retail Chain with Branch Sites: A retail group with 15 stores across the Midlands needs secure connectivity back to their head office for EPOS data, stock management, and CCTV footage transmission. Each store receives a compact Meraki MX appliance that establishes Auto VPN tunnels to the head office automatically. SD-WAN ensures that EPOS transactions are prioritised over CCTV footage when bandwidth is constrained, and automatic failover to 4G backup keeps stores connected even if the primary broadband fails.

Manufacturing Company with Remote Warehouse: A manufacturer near Sheffield has a new warehouse outside Doncaster that needs access to the ERP system at the main site. Traditional VPN would require an engineer to configure matching IPsec parameters on firewalls at both locations. With Meraki Auto VPN, the IT manager simply deploys an MX at the warehouse, adds it to the dashboard, and the tunnel is established automatically — no specialist networking knowledge required.

Deployment Best Practices

While Auto VPN dramatically simplifies deployment, following best practices ensures optimal performance and reliability.

Size your MX appliance correctly for each site. Meraki offers MX models ranging from the compact MX67 (suitable for small branches with up to 50 users) to the high-performance MX450 (suitable for large sites with thousands of users). The VPN throughput rating of each model determines how much encrypted traffic it can handle — undersizing the appliance at a busy site will create a bottleneck.

Ensure adequate internet bandwidth at each site. VPN traffic adds overhead to your internet connection, and insufficient bandwidth at a branch site will result in poor application performance for users. As a general rule, calculate the bandwidth needed for your inter-site traffic (file access, application data, voice, video) and ensure your internet connection at each site provides at least 150% of that figure to accommodate growth and non-VPN traffic.

Implement split tunnelling thoughtfully. Split tunnelling sends only inter-site traffic through the VPN tunnel while routing internet traffic directly from each site. This reduces the load on your hub site and improves internet browsing performance at branches. However, it requires each site to have its own internet security (content filtering, malware scanning), which the Meraki MX provides natively.