Setting up site-to-site on Cisco Meraki
  • 2 Minutes to read

Setting up site-to-site on Cisco Meraki


Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

This article describes how to configure a site-to-site connection between NordLayer dedicated server and Cisco Meraki device using the management interface. You must replace the example values in the procedures with the values that are provided in the configuration file.

Adding a new VPN site

  1. Go to the Non-Meraki VPN peers section in Security Appliance > Configure > Site-to-site VPN page

  2. Select Add a peer and enter the following information:

  • A name for the remote device or VPN tunnel: NordLayer
  • The public IP address of the remote device: Public IP Address of your NordLayer dedicated server
  • The subnets behind the third-party device that you wish to connect to over the VPN: 10.6.0.0/20
  • The IPsec policy to use: Select Custom and enter the following information:

Phase 1:

  • Encryption: Select AES-256 encryption
  • Authentication: Select SHA1 authentication
  • Diffie-Hellman group: Select between Diffie-Hellman (DH) groups 5
  • Lifetime (seconds): 3600

Phase 2:

  • Encryption: Select AES-256 encryption
  • Authentication: Select SHA1 authentication
  • PFS group: Select group 5 to enable PFS using that Diffie Hellman group.
  • Lifetime (seconds): 28800
  • The pre-shared secret key (PSK): Enter the PSK you generated (we will also need this value on our end)

Editing firewall rules

You can add firewall rules to control what traffic is allowed to pass through the NordLayer tunnel.

These rules will apply to inbound and/or outbound VPN traffic from all MX appliances in the Organization that participate in site-to-site VPN.

To create a firewall rule, select Add a rule in the Site-to-site firewall section on the Security Appliance > Configure > Site-to-site VPN page. These rules are configured in the same manner as the Layer 3 firewall rules.

You can add firewall rules to allow traffic from the NordLayer dedicated server subnet (10.6.0.0/20) to your local network or services if you desire.

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Was this article helpful?