Skip to main content

Search

Cloudi-Fi Knowledge Base

Cisco Meraki MX: routing tunnels deployment

Alexandre de THOMASSON
  • Updated

This article will guide you through configuring a captive portal using a VPN tunnel to Cloudi-Fi, ensuring a seamless and secure network connection.

 

Prerequisites

Before diving into the configuration process, ensure you have the following:

  1. Access to the Meraki management console.
  2. Access to the Cloudi-Fi management console. 
  3. Basic understanding of networking concepts and VPN configurations

 

Get VPN parameters information from the Cloudi-Fi interface

You will need the VPN information (VPN Key, VPN Secret and endpoints) to set up.

  1. Access your Cloudi-Fi admin console
  2. Navigate to the "Locations" section
  3. Next, select your location and "Edit Location". 

Cloudi-Fi admin console - Get VPN credentials


1. Select the network to forward in the IPSec tunnel

  1. Access the Meraki MX management console.
  2. Locate and select "Security & SD-WAN" from the left-hand menu.
  3. Next, "Site-to-site VPN" section

Choose which Meraki network will be forwarded in the IPSec tunnel :

    1. You can create Site-to-site VPN tunnels between the MX appliance and Cloudi-Fi VPN endpoint under the Non-Meraki VPN peers section in the Security Appliance Configure Site-to-site VPN page.

Meraki MX - Select subnets for VPN

 

2. Configure Site-to-Site VPN

  1. Under the "Site-to-site VPN" section, click on "Non-Meraki VPN peers" and then click the "Add a peer" button.
  2. Enter the Cloudi-Fi-provided information into the respective fields:
    1. A name for your VPN tunnel.
    2. The public IP address of the peer IP
    3. The hub should be configured as a default route for the Spoke (option to select). E.g. 0.0.0.0/0 should be specified as a default route to this peer.
    4. The pre-shared secret key (PSK)
    5. IPsec policies: use the Custom policy option to configure the IPsec policy manually to match the Zscaler Supported Parameters. 

If you have a dynamic public IP, you must contact Meraki support to activate a feature allowing you to use an FQDN as a VPN identifier.
Once the feature is activated, you will have a new field named "User FQDN" for the VPN configuration:

Meraki VPN configuration for Cloudi-Fi.png

 

Troubleshooting

If you encounter any issues during the configuration process or experience connectivity problems after setting up the VPN tunnel, consider the following troubleshooting steps:

  1. Verify that the IPsec PSK and other parameters are correctly entered into the Meraki MX configuration.
  2. Check for any misconfigurations in the traffic selector settings.
  3. Review logs and event messages on both Meraki MX for any error indications.
  4. Additional troubleshooting from the Meraki documentation here

What's next?

All MX-Z devices in your organization can use a non-Meraki peer setup. However, because you may want only some devices to build tunnels with a non-Meraki peer, the Availability column allows you to decide which equipment within your organization will connect to each peer. 

When "All networks" is selected as a peer, all MX-Z appliances in the organization will connect to that peer. When a specific network tag or collection of tags is selected, only networks that have one or more of the given tags will create connections with that peer.