Articles

A Comprehensive Guide To Your Meraki Site-to-Site VPN Setup

John Ciarlone John Ciarlone Meraki
December 22nd, 2025 6 minute read

A Comprehensive Guide To Your Meraki Site-to-Site VPN Setup

Connecting multiple network locations securely is essential for modern operations. For growing organizations, remote offices, and hybrid teams, reliable inter-site communication ensures systems remain synchronized and users stay productive. The Meraki site-to-site VPN provides a simple, cloud-managed method for connecting distributed networks through Cisco’s trusted platform.

This guide explains every step, from preparation and configuration to troubleshooting and long-term maintenance. It is written for IT managers and network admins who manage multi-site Cisco Meraki deployments and want a dependable, well-documented VPN setup.

Your Meraki VPN Pre-Flight Checklist

Before you start clicking through the dashboard, it’s worth slowing down for a few key checks. The right groundwork prevents the majority of setup failures and spares you from hours of troubleshooting later.

Subnet And Address Sanity Checks

Each Meraki site must have a unique internal subnet. Overlapping IP ranges prevent Auto VPN from determining where traffic should go, leading to routing failures. Review your address plan to confirm no duplication exists between locations. Defining distinct ranges for every site also simplifies expansion later.

Outbound Firewall Rules You Can't Ignore

The VPN handshake depends on outbound traffic to Meraki’s cloud.

  • Allow UDP ports 500 and 4500: These ports support IPsec key exchange and NAT traversal.

  • Permit Meraki management traffic: Confirm your upstream firewall allows communication to Meraki cloud addresses.

If these ports are blocked, the VPN will stay connected without completing setup.

License And Firmware Status

All MX appliances involved must have valid licenses and current firmware. Outdated software or expired licenses can disrupt Aluto VPN negotiation. Check Organization > License Info to confirm compliance and update firmware before deployment. Starting with consistent software versions keeps your VPN stable from day one.

How To Build Your Meraki VPN Hub

Most organizations use a hub and spoke topology. The hub acts as a central point, such as a headquarters or data center, where spoke sites connect.

Enable VPN and Define the Hub

In the Meraki dashboard, open Security & SD-WAN > Site-to-Site VPN.

  1. Set VPN type to Hub.

  2. Choose “Participate in VPN” for networks that will share traffic.

  3. Save the configuration.

After saving, Meraki Auto VPN automatically creates encrypted tunnels among all VPN-enabled peers in your organization.

Configure Local Network Participation

Within the hub’s configuration, choose only the networks that need VPN access. Keeping the scope narrow reduces unnecessary traffic and enhances performance. Use clear labels such as “Finance VLAN 10.10.20.0/24” or “Warehouse LAN 10.10.30.0/24” to make future audits and troubleshooting straightforward.

Connecting Spokes And Non-Meraki Peers

Once the hub is ready, add spoke locations or third-party peers. Each follows a slightly different setup process.

Onboard Meraki Spokes with Auto VPN:

For remote sites with Meraki MX appliances, setup is simple.

  1. Open each spoke’s Site-to-Site VPN page.

  2. Select Spoke as the VPN type.

  3. Choose your hub from the list.

  4. Pick local subnets to include.

  5. Save and let Auto VPN build tunnels.

The dashboard will display green when the connection is active. Meraki manages encryption keys and routing automatically.

Manual IPsec Config for a Non-Meraki Peer:

Some locations may use non-Meraki devices. For these, configure a manual IPsec tunnel.

  • Collect parameters first: Remote IP, IKE version, pre-shared key, encryption type, and subnet details.

  • Add a Non-Meraki peer: In Site-to-Site VPN, scroll to the Non-Meraki peers section and enter these values.

  • Match settings exactly: Both sides must use identical encryption parameters or the tunnel will fail.

Once saved, the MX negotiates an IPsec connection with the peer. Monitor the dashboard to confirm the handshake succeeds.

How To Confirm Your Network Tunnel Is Working

Verification ensures that configuration changes work as expected. Meraki offers tools to validate tunnel health and connectivity.

1. Check the VPN Status Page

Go to Security & SD-WAN > Monitor > VPN Status.

  • Check tunnel indicators: Green shows active, grey means disconnected.

  • Inspect latency and loss: Hover over the status to view response time and packet loss.

If a spoke appears grey, it may indicate a subnet overlap or a blocked firewall port.

2. Use Live Tools for Real-Time Verification

The Meraki dashboard includes diagnostic tools for quick testing.

  • Ping from dashboard: Send a ping to a remote IP to confirm reachability.

  • Run a traceroute: Confirm that traffic flows through the VPN path rather than a public internet route.

These checks confirm tunnel function without command-line access or extra tools.

Restoring Connectivity Between Meraki Networks

Even well-built VPNs can experience interruptions. Understanding how to locate the problem shortens downtime and avoids unnecessary resets.

Mismatched IPsec Policies

For non-Meraki peers, IPsec settings must align perfectly. Differences in encryption, key lifetime, or hashing cause negotiations to fail. Recheck both sides to confirm identical configurations, and verify that the pre-shared key is correct. Small mismatches are often the root cause of failed tunnels.

The Dreaded "NAT Traversal" Problem

NAT traversal (NAT-T) allows VPNs to pass through routers that translate IP addresses. If UDP port 4500 is blocked, IPsec packets may never reach their destination. Test using a direct public IP to confirm if NAT is responsible. If the tunnel works without NAT but fails through it, check upstream routers for required VPN exceptions.

Analyze the Event Log for Clues

Meraki’s event logs provide a detailed record of VPN activity. Open Network wide > Event Log and filter by VPN events. Repeated “no proposal chosen” or authentication failure messages usually pinpoint configuration mismatches. The timestamps also show when tunnels dropped, which helps correlate changes or outages.

Maintain And Optimize Your Site-to-Site VPN Meraki

Once your VPN is stable, ongoing maintenance keeps it reliable. Regular updates and monitoring prevent small issues from becoming major outages.

Keep all MX appliances on the current firmware to benefit from performance and security improvements. Configure traffic shaping rules to prioritize essential business traffic, such as voice and collaboration tools. If you use dual WAN links, test failover every few months to verify that Auto VPN responds correctly. 

Review bandwidth usage in Clients to ensure hardware capacity still fits your network load.

Treat your VPN as an active part of your infrastructure. Routine reviews and testing help maintain uptime and consistent performance across every connected location.

Beyond The Setup With Hummingbird Networks

Setting up a Meraki VPN is straightforward once you know the process. Maintaining consistency across multiple sites requires experience and the right hardware choices.

Hummingbird Networks partners with IT managers daily to design, deploy, and support secure Cisco Meraki environments that scale smoothly. Whether your goal is to expand your WAN, improve uptime, or simplify management, we can help you move faster and with fewer complications.

Secure your multi-site network with the right Cisco Meraki hardware and expert guidance from Hummingbird Networks.

« Back to Articles

Related Articles

Meraki Cameras: Cutting-Edge MV-Series

Meraki Cameras: Cutting-Edge MV-Series

meraki sensors and cameras

New Meraki Sensors and Cameras

Meraki MX68W Firewall Review: The One that Does it All

Meraki MX68W Firewall Review: The One that Does it All