VPN IPSEC tunnel over private network

Here to help

VPN IPSEC tunnel over private network



First I have never worked with Meraki before but have the following requirements.  I need to provide guest internet access at branch offices.  The branch offices only have MPLS connections and no local internet breakout.  For guest internet access a separate internet line is provisioned at HQ. 

Branch MX firewalls can reach Meraki cloud platform for management using normal internet line routed over other firewall.  I would like to build a separate IPSEC tunnel to the MX in HQ to provide internet guest access.

The Meraki firewall for guest at HQ has a public routable IP at WAN side and should also have an internal IP that is reachable over the MPLS to establish IPSEC tunnels between BRANCH and HQ.

I have read so fare that you can deploy MX in concentrator or routed mode.  I guess I need to use routed mode.  Can I use the auto VPN feature for this or should I use third party VPN.

I am not looking for a detailed technical approach but some direction on how to best approach this.

With the cloud management and auto-vpn I don't really now how this works.


RED LINE IPSEC, BLUE MGT for Meraki branch to cloud platform.


Schermafbeelding 2020-07-29 om 14.10.50.png

2 Replies 2
Meraki Employee
Meraki Employee

Hello @FDM 


The deployment that you are trying to achieve is generally explained here. Please check that and if you have any specific questions, feel free to bump this thread or you can also reach out to Meraki Support to review any specific deployment issues. 


Please let me know if you have any further questions.



Meraki Team


Here to help

 Hi Seshu,


Thank you for the reference.  I do have a question about the following statement regarding VPN concentrator.


Passthrough or VPN concentrator
The secrurity appliance acts as layer 2 bridge and does not modify client traffic.
Configure VPN to enable communication with remote peers.
Only one WAN uplink can be used in this mode.
The layer 2 is what is confusing me in one armed mode the vpn traffic is routed back over the same interface i guess.
It is not that it is building Layer 2 VPN's over IPSEC?
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.