Hi,
I am an admin user across multiple organisations, we have Meraki Z1's and MX65's on networks within each of these organisations. Is there a way to do site-site VPN across multiple organisations?
Our current setup requires a network in each organisation at the office that we can connect to and then VPN to a remote network.
Many thanks in advance.
Solved! Go to Solution.
Its easy to terminate tunnel with the networks inside one organization using Auto vpn features but in your case that you want organization to organization vpn you need to manually configure it just like a classic way of vpn configuration.
Here:
You can create Site-to-site VPN tunnels between the MX appliance and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:
Note that if an MX is configured with a default route (0.0.0.0/0) to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.
There are three preset IPsec policies available.
If none of these presets are appropriate, the Custom option allows you to manually configure the IPsec policy parameters. These parameters are divided into Phase 1 and Phase 2.
On May 8th 2018, changes were introduced to deprecate DES for encryption. Click here for more information.
By default, a non-Meraki peer configuration applies to all MX-Z appliances in your Dashboard Organization. Since it is not always desirable for every appliance you control to form tunnels to a particular non-Meraki peer, the Availability column allows you to control which appliances within your Organization will connect to each peer. This control is based on network tags, which are labels you can apply to your Dashboard networks.
When "All networks" is selected for a peer, all MX-Z appliances in the organization will connect to that peer. When a specific network tag or set of tags is selected, only networks that have one or more of the specified tags will connect to that peer.
More information on network tags can be found here.
You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from from all MX appliances in the Organization that participate in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.
You can monitor the status of the site-to-site VPN tunnels between your Meraki devices by clicking Security & SD-WAN > Monitor > VPN Status. This page provides real-time status for the configured Meraki site-to-site VPN tunnels. It lists the subnet(s) being exported over the VPN, connectivity information between the MX appliance and the Meraki VPN registry, NAT Traversal information, and the encryption type being used for all tunnels. Additionally, the Site connectivity list provides the following information for remote Meraki VPN peers: