Meraki

Community

AutoVPN header

iores
Getting noticed
yesterday
yesterday

AutoVPN header

Hi,

 

is there any Meraki documentation describing AutoVPN packet structure (outer/inner headers..)?

Best regards

Labels:
0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

No.  It is loosely based on IPSec.

iores
Getting noticed
yesterday
yesterday

Is the inner IP header encrypted and encapsulated within UDP packet which is part of the outer IP header that contains the IPs of source and destination MXs? 

0 Kudos
In response to iores
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

In Meraki AutoVPN, the inner IP header is fully encrypted and encapsulated inside an ESP packet.

Although Meraki does not publish packet‑structure diagrams, their documentation confirms two essential facts:

  • AutoVPN uses IPsec ESP for data‑plane encryption.

  • The UDP ports below are used by Automatic NAT traversal. When peers are directly connected to the Internet with a public IP address and not protected by a transparent firewall or when peers are behind a firewall and NAT that allow all outbound traffic and does not perform load balancing, no further configuration is necessary on upstream security systems. In this case the tunnel should be established and all peers will show up as connected in Dashboard. However in the case that your Cisco Meraki peer resides behind a restrictive firewall the following connection types are required. 

    To contact the VPN registry:

    • Source UDP port range 32768-61000
    • Destination UDP port range 9350-9381

     

    For IPsec tunneling:

    • Source UDP port range 32768-61000
    • Destination UDP port range 32768-61000 

 

meraki_whitepaper_autovpn.pdf

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
In response to alemabrahao
iores
Getting noticed
yesterday
yesterday

Aren't ports 9351-9381 used to communicate with AutoVPN registry, while ports 32768-61000 are used for IPsec tunneling? 

0 Kudos
In response to iores
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

AutoVPN Registry Communication (Control Plane)9350–9381, Is used to register public IP, NAT port, peer discovery.

 

https://documentation.meraki.com/SASE_and_SD-WAN/MX/Design_and_Configure/Configuration_Guides/Site-t...

 

IPsec Tunnel Traffic (Data Plane)32768–61000 (ephemeral, per-MX), is used for actual encrypted ESP-over-UDP between MX peers. 

 

Automatic NAT Traversal for Auto VPN Tunneling between Cisco Meraki Peers - Cisco Meraki Documentati...

 

Documentation is your best friend. 😉

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Check out the AutoVPN whitepaper.

https://meraki.cisco.com/product-collateral/auto-vpn-whitepaper/

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2026 Cisco Systems, Inc.