Cisco Meraki MX security appliances are among the most popular network devices deployed in UK businesses, and for good reason. Their cloud-managed architecture makes them remarkably straightforward to configure and monitor, while their security features — including VPN, firewall, intrusion detection, and content filtering — make them a comprehensive solution for small and medium-sized businesses that need enterprise-grade networking without enterprise-grade complexity.
One of the most common use cases for the Meraki MX is establishing VPN tunnels — either between multiple office sites (site-to-site VPN) or for remote employees connecting from home or on the road (client VPN). When configured correctly, these VPN tunnels provide secure, encrypted connectivity that protects your data in transit and extends your corporate network to wherever your people need to work.
This guide covers both site-to-site and client VPN configurations on the Meraki MX platform, including best practices for security, performance, and troubleshooting common issues.
Understanding Meraki VPN Types
The Meraki MX supports three distinct VPN configurations, each serving a different purpose. Understanding which one to use — and when to combine them — is the starting point for any VPN deployment.
Auto VPN (Site-to-Site Between Meraki Devices)
Auto VPN is Meraki's proprietary technology for establishing site-to-site VPN tunnels between Meraki MX appliances. It is the simplest and most reliable option when both ends of the tunnel are Meraki devices. Auto VPN handles key exchange, encryption negotiation, and tunnel establishment automatically through the Meraki cloud dashboard — you do not need to configure IP addresses, pre-shared keys, or IKE parameters manually.
Non-Meraki VPN (Site-to-Site with Third-Party Devices)
When you need to connect your Meraki network to a site using a different firewall or router — such as a Cisco ASA, Fortinet FortiGate, SonicWall, or an Azure Virtual Network Gateway — you will use the non-Meraki VPN (also known as third-party VPN) configuration. This uses standard IPsec with IKE (Internet Key Exchange) and requires manual configuration of tunnel parameters on both sides.
Client VPN (Remote Access)
The client VPN allows individual users to connect to the corporate network from remote locations using a VPN client on their laptop, phone, or tablet. The Meraki MX supports the L2TP/IPsec protocol, which is natively supported by Windows, macOS, iOS, and Android — no additional VPN client software is required in most cases.
Auto VPN Advantages
- Fully automated setup via Meraki Dashboard
- No manual IPsec configuration required
- Automatic failover and path selection
- Supports hub-and-spoke and full-mesh topologies
- Integrated SD-WAN for intelligent path selection
- Centralised monitoring and troubleshooting
Auto VPN Limitations
- Requires Meraki MX at both ends of the tunnel
- Dependent on Meraki cloud for management
- Licensing costs for each appliance
- Cannot connect directly to non-Meraki devices
- Limited customisation of IPsec parameters
- Throughput limited by MX model and licence tier
Configuring Auto VPN (Site-to-Site)
Auto VPN configuration is remarkably straightforward. The entire process is managed through the Meraki Dashboard and typically takes less than five minutes per site.
Step One: Define the Hub Site
In the Meraki Dashboard, navigate to Security & SD-WAN > Site-to-site VPN. Set the VPN mode to "Hub" for your main office or data centre. This designates the site as a central point to which other sites (spokes) will connect. Select which local subnets should be advertised over the VPN — typically your LAN subnets that contain shared resources such as file servers, printers, and internal applications.
Step Two: Configure Spoke Sites
On each branch office MX, navigate to the same VPN settings page and set the VPN mode to "Spoke". Select the hub site(s) from the dropdown. Again, choose which local subnets should participate in the VPN. The tunnel will establish automatically within minutes — the MX appliances negotiate the encryption, exchange keys, and bring the tunnel up without any manual intervention.
Step Three: Verify Connectivity
Once the tunnels are established, verify connectivity by testing access to resources at the hub site from each spoke, and vice versa. Use the Meraki Dashboard's VPN status page to monitor tunnel health, latency, and throughput. The dashboard provides real-time and historical data on VPN performance, making it easy to identify issues.
Configuring Non-Meraki VPN (Third-Party IPsec)
When you need to establish a VPN tunnel between your Meraki MX and a third-party device or cloud platform, the configuration requires more manual setup. You will need to define the IPsec parameters on both sides and ensure they match exactly.
Required Parameters
Before starting the configuration, gather the following information: the public IP address of the remote peer, the remote LAN subnets that need to be accessible, a pre-shared key (PSK) that both sides will use for authentication, and agreement on the IKE and IPsec encryption parameters.
| Parameter | Recommended Setting | Notes |
|---|---|---|
| IKE Version | IKEv2 | More secure and reliable than IKEv1 |
| Phase 1 Encryption | AES-256 | Strongest available option |
| Phase 1 Hash | SHA-256 | SHA-1 is deprecated |
| Phase 1 DH Group | Group 14 (2048-bit) | Minimum recommended by NCSC |
| Phase 1 Lifetime | 28800 seconds (8 hours) | Meraki default |
| Phase 2 Encryption | AES-256 | Match Phase 1 for consistency |
| Phase 2 Hash | SHA-256 | Ensure both sides match |
| Phase 2 PFS Group | Group 14 | Perfect Forward Secrecy |
| Phase 2 Lifetime | 3600 seconds (1 hour) | Meraki default |
A common requirement for UK businesses is connecting their Meraki MX to an Azure Virtual Network Gateway. Microsoft and Cisco have published validated configurations for this scenario. Key points to note: use IKEv2 (not IKEv1), configure the Azure VPN Gateway as Route-based (not Policy-based), ensure the pre-shared key is at least 32 characters with a mix of upper-case, lower-case, numbers, and symbols, and configure the Azure local network gateway with the public IP of your Meraki MX and your on-premises subnets as the address space. Monitor the tunnel through both the Meraki Dashboard and the Azure Portal.
Configuring Client VPN (Remote Access)
The Meraki MX client VPN provides remote access for individual users. Configuration involves both the MX appliance and the user's device.
MX Configuration
In the Meraki Dashboard, navigate to Security & SD-WAN > Client VPN. Enable the client VPN and configure the following: the client VPN subnet (a dedicated range that will be assigned to VPN clients, such as 10.0.100.0/24), the DNS servers that clients should use, the authentication method (Meraki cloud authentication, Active Directory, or RADIUS), and the shared secret (pre-shared key) that clients will use to connect.
For UK businesses with Active Directory, integrating the client VPN with your AD domain is strongly recommended. This allows users to authenticate with their existing domain credentials, simplifies user management, and enables you to control VPN access through AD group membership.
Client Device Configuration
Because the Meraki client VPN uses L2TP/IPsec, it can be configured natively on all major operating systems without installing additional software. On Windows, create a new VPN connection in Network Settings with the type set to L2TP/IPsec with pre-shared key. On macOS, add a VPN configuration in System Settings > Network with the interface set to VPN and type set to L2TP over IPsec.
Security Best Practices for Meraki VPN
A properly configured VPN is a strong security tool, but a poorly configured one can introduce vulnerabilities. Follow these best practices to ensure your Meraki VPN deployment is secure.
Use strong pre-shared keys — a minimum of 32 characters with a mix of character types. Rotate pre-shared keys at least annually. For client VPN, integrate with Active Directory or RADIUS rather than using Meraki cloud authentication, as this provides better user management and allows you to enforce password policies. Enable split tunnelling only when necessary — full tunnel mode forces all traffic through the VPN, providing better security monitoring but consuming more bandwidth. Restrict VPN access to authorised users through group-based policies. Monitor VPN connection logs for unusual patterns, such as connections from unexpected geographic locations or at unusual times.
For businesses pursuing Cyber Essentials certification, ensure that your VPN configuration meets the scheme's requirements for secure remote access, including strong authentication, encryption of data in transit, and access controls that limit what VPN users can reach on the internal network.
Troubleshooting Common VPN Issues
Despite Meraki's ease of use, VPN issues do occasionally arise. The most common problems and their solutions include tunnels failing to establish (usually caused by mismatched IPsec parameters or firewall rules blocking UDP ports 500 and 4500), intermittent disconnections (often caused by DPD — Dead Peer Detection — timeout mismatches or NAT traversal issues), slow performance (typically caused by the MX being undersized for the traffic volume, or the underlying internet connection being insufficient), and client VPN users unable to access internal resources (usually a routing or DNS issue on the client subnet).
The Meraki Dashboard provides extensive troubleshooting tools, including event logs, VPN status monitoring, and the ability to run packet captures directly on the MX appliance. For non-Meraki VPN tunnels, always check the event log on both sides of the tunnel to identify where the negotiation is failing.
Need Help With Your Meraki VPN Setup?
Cloudswitched is a Cisco Meraki partner with extensive experience deploying and managing VPN solutions for UK businesses. Whether you need site-to-site connectivity, remote access for your team, or integration with Azure and other cloud platforms, we can design and implement the right solution for your needs.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.