We keep finding ways to simplify our customers’ network infrastructures and our engineers have really outdone themselves on the Meraki Auto VPN solution. In a nutshell, VPNs authenticate and establish trust between peers in order to share data securely over an unsecure connection. That being said, not all VPNs are created equal. I’d like to point out a few highlights of what makes the Meraki Auto VPN solution extra special when compared with a traditional VPN implementation.
Meraki’s Auto VPN operates like a regular IPsec VPN, but with one major difference. All MXs in the VPN are communicating with the Meraki cloud platform, which allows the sites to more easily coordinate and establish a VPN tunnel. The cloud platform already knows everything about the network configuration: private IP address, local subnets, WAN IP addresses, etc. Our initial VPN setup is greatly simplified with Meraki now that the Meraki cloud is playing middleman.
Auto VPN Setup
To set up site-to-site VPN, simply select split tunnel or full tunnel. Split tunnel sends only intranet traffic over the VPN, while all Internet traffic goes directly to its destination.
If you want all traffic, including Internet traffic, to traverse the VPN, then select full tunnel. For a full tunnel, you will choose which firewall you want to use as the “full tunnel concentrator”. In the example below, the MX at headquarters acts as the concentrator, therefore all traffic will go through our HQ site before heading to its final destination.
Your local networks are automatically imported and you can choose which subnets you would like to advertise across the VPN tunnel, and that’s pretty much it. So, what’s next after our VPN is up and running?
Self-healing Auto VPN
There are a variety of events that, under normal circumstances, would require our network admins to re-configure the VPN, but thankfully, the Auto VPN keeps our network up and running on its own. A change in the public IP address would put a normal VPN into a tailspin. For example, an interruption in your WAN connection could cause your network to fail over to a secondary connection or 3G or 4G connection. The secondary connection would have its own public IP address and break the VPN tunnel. Instead, Auto VPN is able to communicate the IP address change to all VPN peers, and the VPN tunnels are automatically re-established.
A change in your local network subnets or a change of a rolling encryption key would also normally result in some intervention by a network admin. The Meraki Auto VPN mitigates these network interruptions by keeping both sides of the VPN up to date on their neighbor’s status. Any change on one end would require a redo of the VPN configuration because both sides must match, but with the Meraki cloud helping out, both sides automatically get updated when there are changes.
Something unique to the Meraki Auto VPN is that it is a mesh by default. This means that when you add another site, a site-to-site VPN is created between that peer and each other site. You don’t need to go back and configure the route to the new peer at all of the existing peers. Below, we can check out the remote VPN participants on Meraki Corp network which are automatically imported when we turn on VPN.
This type of configuration has a few advantages. It is extremely reliable, because all of our peers can still communicate if the main site goes down. A mesh configuration also offers reduced latency for sensitive applications like VoIP, because each spoke can talk to the other spokes directly .
We hope you like these auto VPN features as much as we do and we are looking forward to hearing your feedback when you try it on your own network. Check out how a couple of our customers (Vector Media and Essex Property Trust) are using the Meraki MX for VPN already.