site-to-site VPN across Multiple organisations

New here

site-to-site VPN across Multiple organisations



I am an admin user across multiple organisations, we have Meraki Z1's and MX65's on networks within each of these organisations. Is there a way to do site-site VPN across multiple organisations? 


Our current setup requires a network in each organisation at the office that we can connect to and then VPN to a remote network. 


Many thanks in advance. 

Getting noticed

Its easy to terminate tunnel with the networks inside one organization using Auto vpn features but in your case that you want organization to organization vpn you need to manually configure it just like a classic way of vpn configuration.



Non-Meraki VPN peers

You can create Site-to-site VPN tunnels between the MX appliance and a Non-Meraki VPN endpoint device under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

  • A name for the remote device or VPN tunnel.
  • The public IP address of the remote device.
  • The subnets behind the third-party device that you wish to connect to over the VPN. can also be specified to define a default route to this peer.
  • The IPsec policy to use.
  • The preshared secret key (PSK).
  • Availability settings to determine which appliances in your Dashboard Organization will connect to the peer.

Note that if an MX is configured with a default route ( to a Non-Meraki VPN peer, traffic will not fail over to the WAN, even if the connection goes down.

IPsec policies

There are three preset IPsec policies available.

  • Default: Uses the Meraki default IPsec settings for connection to a non-Meraki device
  • AWS: Uses default settings for connecting to an Amazon VPC
  • Azure: Uses default settings for connecting to a Microsoft Azure instance

If none of these presets are appropriate, the Custom option allows you to manually configure the IPsec policy parameters. These parameters are divided into Phase 1 and Phase 2.

Phase 1

  • Encryption: Select between AES-128, AES-192, AES-256, and 3DES encryption
  • Authentication: Select MD5 or SHA1 authentication
  • Diffie-Hellman group: Select between Diffie-Hellman (DH) groups 1, 2, and 5
  • Lifetime (seconds): Enter the phase 1 lifetime in seconds


Phase 2

  • Encryption: Select between AES-128, AES-192, AES-256, and 3DES encryption (multiple options can be selected)
  • Authentication: Select between MD5 and SHA1 authentication (both options can be selected)
  • PFS group: Select the Off option to disable Perfect Forward Secrecy (PFS). Select group 1, 2, or 5 to enable PFS using that Diffie Hellman group.
  • Lifetime (seconds): Enter the phase 2 lifetime in seconds

On May 8th 2018, changes were introduced to deprecate DES for encryption. Click here for more information. 

Peer availability

By default, a non-Meraki peer configuration applies to all MX-Z appliances in your Dashboard Organization. Since it is not always desirable for every appliance you control to form tunnels to a particular non-Meraki peer, the Availability column allows you to control which appliances within your Organization will connect to each peer. This control is based on network tags, which are labels you can apply to your Dashboard networks.

When "All networks" is selected for a peer, all MX-Z appliances in the organization will connect to that peer. When a specific network tag or set of tags is selected, only networks that have one or more of the specified tags will connect to that peer.

More information on network tags can be found here.

VPN Firewall Rules

You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from from all MX appliances in the Organization that participate in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN. 

Monitoring site-to-site VPN

You can monitor the status of the site-to-site VPN tunnels between your Meraki devices by clicking Security & SD-WAN > Monitor > VPN Status. This page provides real-time status for the configured Meraki site-to-site VPN tunnels. It lists the subnet(s) being exported over the VPN, connectivity information between the MX appliance and the Meraki VPN registry, NAT Traversal information, and the encryption type being used for all tunnels. Additionally, the Site connectivity list provides the following information for remote Meraki VPN peers:

  • Name of the remote Meraki VPN peer.
  • Subnets that are being advertised over the VPN by the remote peer device.
  • Status (whether the peer is currently reachable).
  • Round-trip packet latency over the VPN (in milliseconds).
  • Last time a heartbeat packet was sent to determine the status of the VPN tunnel (in seconds).


Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.