A Visual Guide to Setting up a Meraki to AWS Site-to-Site VPN

By Chaim Sanders

There are many administrators of Meraki devices now. They make great small business devices and, honestly, simplify a lot of the annoyance of configuring more feature rich switches. A common configuration has been to deploy these in support of a SaaS company with services in AWS. The following nicely outlines the steps needed to accomplish this (we’ll leave the discussion of IKEv1 support to another blog).

Note: For security reasons some of the information in the pictures has been modified or hidden.

  1. Create a VPC (if you do not already have the existing VPC you’d like to be the other half of the tunnel). 
    1. After logging into AWS go to the ‘Services’ area (top bar) and select the ‘VPC’ service. This will bring you to a status page about the Networking configured for your AWS environment. Select ‘Your VPCs’ on the left hand side.1
    2. Select the ‘Create VPC’ button. This will allow you to create a Virtual Private Cloud where accessible resources on AWS will live. Enter a name and a CIDR block (set of IP addresses). For this example i’ll be setting up as my block of IPs. When you’re ready hit the ‘Yes, Create’ button.23
    3. You’ll be taken back to the ‘Your VPCs’ page where there will be a new element based on what you just created.4
  2. Allocate a subnet (if you have not already done so – for a new VPC)
    1. On the left hand side of the VPC Service screen there is a menu bar. Under the ‘Virtual Private Cloud’ header there is an option for ‘Subnets’. Select the ‘Subnets’ option.5
    2. On the  configuration screen select the ‘Create subnet’ button.7
    3. On the following ‘Create subnet’ screen, provide a descriptive name, select the VPC we just made, and provide a subset of the total space allocated for the the VPC. In the case of the VPC we made above we’ll use the whole space since we only allocated a /24 (Typically you’ll have multiple subnets in a production VPC). Click the ‘Create’ button when ready.8
    4. You’ll be brought back to the Subnets configuration screen when this is complete.
  3. Configure the VPN connection on AWS’s side
    1. On the left hand bar within the VPC service screen there is a heading entitled VPN Connection. Within this area select the ‘Customer Gateways’ option.9.png
    2. Assign the Customer Gateway a name, keep the Routing as Dynamic and in IP address slot place the IP address of your Meraki device. Select ‘Create Customer Gateway’ when ready.10
      1. To find your Meraki devices IP address open the Meraki dashboard and select ‘Security appliance’ -> ‘Appliance Status’. In this photo the number hidden with the blue box is the public IP of the Meraki device.11 12
    3. On the left hand bar within the Customer Gateways service screen there is a heading entitled VPN Connections. Within this area select the ‘Virtual Private Gateway’ option.
    4. Select the button entitled ‘Create Virtual Private Gateway’.15
    5. In the configuration screen choose a name and leave the ASN as ‘Amazon default ASN’ (unless you have specific a BGP configuration). Select the ‘Create Virtual Private Gateway’ button. When complete you should be moved back to the Virtual Private Gateway Configuration Screen with a new element list.16
    6. Select the checkbox next to the new element and find the ‘Action’ button at the top. Click it and select ‘Attach to VPC’.17
    7. You’ll be brought to a new screen. Select the VPC you created (or would like this VPN to be connected to from the dropdown. Then select the ‘Yes, Attach’ button. You’ll be taken back to the Virtual Private Gateway configuration screen.17a
    8. On the left hand bar within the Virtual Private Gateway service screen there is a heading entitled VPN Connection. Within this area select the ‘VPN Connections’ option.18.png
    9. Select the button entitled ‘Create VPN Connection’.19.png
    10. In the Create VPN Connection window select a Name, the VPN Gateway we just created from the list, the existing customer gateway ID of the Virtual Private Gateway we just configured, and specify ‘static’ as the routing option. For Static IP Prefixes put the internal subnet used by your Meraki Device. Leave the rest blank and when finished select the ‘Create VPN Connection’ button.
      1. You can find this subnet on the Meraki Dashboard under ‘Security Appliance’ -> ‘Addresses & VLANs’ in the ‘Routing’ section.20
    11. Once this is created it will be in a ‘pending’ state for a bit while Amazon allocates it. After a few minutes it should switch to an ‘available’ state. Once it reaches that state, select the checkbox next to the newly created resource and select the ‘Download Configuration’ button. Save this file for the next step.211
    12. On the left hand bar within the VPN Connections service screen there is a heading entitled ‘Virtual Private Cloud’. Within this area select the ‘Route Tables option. Select the checkbox next to the route table associated with the VPC you’ve created.23
    13. On the lower pane a configuration menu will appear. Select the ‘Route Propagation’ tab and select the ‘Edit’ button. Then check the ‘Propagate’ checkbox next to the Virtual Private Gateway listed.24
  4. Configure the VPN connection on Meraki’s side
    1. In your Meraki Dashboard navigate to site-to-site VPN options under ‘Security appliance’->’Site-to-site VPN’.25
    2. Under ‘type’, select ‘Hub (Mesh)’26
    3. Under the ‘VPN settings’ subheader find the network(s) that you’d like to enable the site-to-site routing for and select ‘yes’ under the ‘Use VPN’ column.27
    4. Leave NAT traversal as automatic.
    5. Leave OSPF advertisements disabled.
    6. Under the Organization-wide settings subheader find ‘Non-Meraki VPN peers’. Select the ‘Add a peer’ link.
    7. Fill out the new peer link information based on the downloaded file.
      1. First give the connection a descriptive name.
      2. Then, using the information from the downloaded file, find the ‘Outside IP Address’ of the ‘Virtual Private Gateway’. Place this value in the Public IP field.30
      3. For private subnets put the subnet address you allocated back in step 2. In my example case i put down
      4. Under IPsec policies, click ‘default’. This will open a new configuration menu. At the top select from the ‘Choose a Preset’ dropdown – ‘AWS’. Hit ‘Update’ when this is complete.
      5. Find the ‘Pre-Shared Key’ row within the downloaded file and copy the Pre-Shared key into the Meraki configuration area.31
    8. Save your Changes28
  5. Note: while making a request to a host on the other side of the Site-to-Site VPN, it will take a few attempts for the request to complete while the tunnel is initialized. The more traffic sent across the tunnel the less likely this lag is to occur as the tunnel will stay up. This often leads to people writing quick ping scripts that send a ping every couple seconds to keep the tunnel up.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s