Setting up site-to-site on Cisco Meraki

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.


This article describes how to configure a site-to-site connection between NordLayer dedicated server and Cisco Meraki device using the management interface. You must replace the example values in the procedures with the values that are provided in the configuration file. 


Adding a new VPN site

1. Go to the Non-Meraki VPN peers section in Security Appliance > Configure > Site-to-site VPN page

2. Select Add a peer and enter the following information:

  • A name for the remote device or VPN tunnel: NordLayer
  • The public IP address of the remote device: Public IP Address of your NordLayer dedicated server
  • The subnets behind the third-party device that you wish to connect to over the VPN:
  • The IPsec policy to use: Select Custom and enter the following information:

Phase 1:

  • Encryption: Select AES-256 encryption
  • Authentication: Select SHA1 authentication
  • Diffie-Hellman group: Select between Diffie-Hellman (DH) groups 5
  • Lifetime (seconds): 3600

Phase 2:

  • Encryption: Select AES-256 encryption
  • Authentication: Select SHA1 authentication
  • PFS group: Select group 5 to enable PFS using that Diffie Hellman group.
  • Lifetime (seconds): 28800
  • The pre-shared secret key (PSK): Enter the PSK you generated (we will also need this value on our end)


Editing firewall rules

You can add firewall rules to control what traffic is allowed to pass through the NordLayer tunnel.

These rules will apply to inbound and/or outbound VPN traffic from all MX appliances in the Organization that participate in site-to-site VPN.

To create a firewall rule, select Add a rule in the Site-to-site firewall section on the Security Appliance > Configure > Site-to-site VPN page. These rules are configured in the same manner as the Layer 3 firewall rules.

You can add firewall rules to allow traffic from the NordLayer dedicated server subnet ( to your local network or services if you desire.


Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top