Meraki Community

ehsan2305 · ‎May 15 2019

port need to only allow for auto vpn in meraki mx

BrechtSchamp · ‎May 15 2019

Refer to the following page for the ports Meraki devices use to communicate:

https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Firewall_Rules_for_Cloud_Conne...

AutoVPN uses hole punching so the port will dynamically be chosen. More info about whole punching here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Automatic_NAT_Traversal_for_IPsec_Tunneling_bet...

The ranges used:

To contact the VPN registry:

Source UDP port range 32768-61000
Destination UDP port 9350

For IPsec tunneling:

Source UDP port range 32768-61000
Destination UDP port range 32768-61000

If this is an issue, you could opt for manual NAT traversal:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings#NAT_Traversal

AutoVPN troubleshooting info here:

https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-Site_VPN_Troubleshooting

Hope that helps.

ehsan2305 · ‎May 16 2019

If I block all ports for outgoing traffic and allow only the ports that you mentioned below than auto vpn between meraki mx will work and there will be no outgoing internet traffic.

Actually my requirement is to only allow vpn between meraki mx device with their local subnets, but user should not allowed internet browsing.

BrechtSchamp · ‎May 16 2019

You don't need to add exceptions to the firewall for the VPN tunnels to work. The MX allows its own VPN tunnels automatically.

Meraki Community

auto vpn port

auto vpn port