MX1 and MX2 are part of the same organization. MX1 and MX2 are configured to participate in Auto VPN. Both MX1 and MX2 send a Register Request message to their VPN registry in order to share their own contact information, and to get the contact information of the peer MX(s) that it should form a VPN tunnel with. The Register Request message contains the IP address and the UDP port that the MX communicates on, and the MX requests the contact information of its peer MX(s).
VPN registries send the Register Response messages to the MXs with the contact information of the peers the MXs should establish a tunnel with.
Once the information is shared with the MX about its peers, a VPN tunnel is formed MX to MX. The Meraki cloud already knows the subnet information for each MX, and now the IP addresses to use for tunnel creation. The cloud pushes a key to the MXs in their configuration which is used to establish an AES encrypted IPsec-like tunnel. Local subnets specified by dashboard admins are exported/shared across VPN. During this process, VPN routes are pushed from the dashboard to the MXs. Finally, the dashboard will dynamically push VPN peer information (e.g., exported subnets, tunnel IP information) to each MX. Every MX stores this information in a separate routing table.