Today we\’re going to talk about creating a VPN tunnel between a Meraki MX security appliance to AWS. I\’ve realized that a lot of network engineers haven\’t had much experience with AWS so this will be a bit of an AWS primer for them! You can register for a free account and get almost all the features offered in a Free Tier from AWS to practice.
This is a quick and easy solution to get a VPN going to your AWS cloud. When you create a VPC it gives you two endpoints to peer with. The AWS documentation for VPC states they may take down either side for maintenance purposes and it\’s the customer responsibility to make sure both tunnels work. In a world with a Cisco ASA or an ISR this is great for redundancy! In the current Meraki world this isn\’t possible. When you try and create a secondary tunnel you will see there is no support to a non-Meraki device to allow for the same subnets on each VPN tunnel. I would think we should be able to assign weights but not at the time of this post… Anyways on with the guide!
AWS Configuration
- Create your VPC on AWS. You could go through all the steps manually or just use the VPC Wizard. On the dashboard look under Networking > VPC > click Start VPC Wizard
- Next we\’ll configure our IP block and select our Availability Zone.
- Next we\’ll configure our Customer Gateway IP address on AWS which will be the public IP address assigned to your Meraki MX device. To find this on the Meraki Dashboard go to Security Appliance > Appliance Status. Here\’s what the config looks like on the AWS side. ***Please note the IP address I used on Customer Gateway is just for demonstration purposes. Input the public IP address of your Meraki MX device here!***
- Click Create VPC and let the wizard do it\’s work (this may take a few minutes)!
Meraki Configuration
- The first thing we need to do is obtain some key configuration variables from the AWS console. From the console navigate to Networking > VPC > VPN Connections. Here we want to click the button that says \”Download Configuration\” and select \”Generic\” as the Vendor and download. When you open the .txt file remember that you can only use one tunnel so we will only use what\’s under \”IPSec Tunnel #1\”
- On the Meraki Dashboard let\’s create the VPN tunnel! Go to Security Appliance > Configure > Site-to-Site VPN. On the Mode drop down let\’s select \”Split Tunnel (send only site-to-site traffic over VPN)
- Now select the subnet under Local networks you wish to \”Use VPN\”
- Next we move on to Non-Meraki VPN peers. We will need to give a Name, Public IP, Private subnets, and Preshared secret. Most of these values will come from the .txt file we downloaded in step 1. from AWS.
- One of the most important steps here is to click \”Default\” under IPsec policies. We want to select \”AWS\” under the Preset menu.
- Here\’s my final config in the Meraki Dashboard (make sure you click \”Save Changes\”):
EC2 Configuration (test server)
- Now we\’re going to create an EC2 instance so we can test using ICMP across our new VPN. Go to AWS Console and click \”EC2\”
- Under Create Instance we will click \”Launch Instance\”
- Select the Amazon Linux AMI or the OS of your choice. This is just for testing purposes so not that important.
- Next let\’s just keep this as a t2.micro instance to stay in our Free tier and click \”Next: Configure Instance Details\”
- Now we need to make sure our EC2 instance gets put into our new VPC
- Now let\’s click Next until we get to our Security Group to add ICMP for testing purposes.
- Now Review and Launch and then click Launch again. We will be prompted to create a new key pair. Only do this step if you want to SSH into your Linux based EC2 instance for further verification. Make sure you \”Download Key Pair\” in this step! and then Launch Instance.
- You should then be redirected to you Running Instance section of EC2. Once the EC2 instance launches you should see a private IP listed in the Description.
- You might notice in this step that when you try to ping your EC2 instance it\’s not working. I found on two occasions of this setup that the VPC wizard missed a route to my local subnet. This is why it\’s always important to double check the configuration even when using a wizard.
Test & Verify
- Open a terminal window and try to ping the private IP address of your EC2 Instance (it will take a few failures for the tunnel to come up).
- Now let\’s try to SSH to our EC2 Server! Remember the Key Pair we created earlier called \”MerakiAWS\”
- This is typical behavior and we need to change the permissions on our key pair \”chmod 400 Downloads/MerakiAWS.pem\” (without quotes).
- Ta-Da we\’re in!
Now in case you don\’t believe me about configuring a secondary VPN path on the Meraki MX…
Pingback: Audio Conferencing Using Twilio and AWS – Welcome to My Lab
Thanks for this post. I’m trying to get this going but i’m having issues. I got the tunnel up but i’m unable to ping (even when adding the static route to the VPN connection. The Mode and Topology on the Meraki isn’t there either. I opened up a case ticket with Meraki but do you have any additional insight to any changes?
Thanks.
For testing purposes you might allow all traffic on your security group for the EC2 instance. It looks like the interface is a tad bit different now and I can confirm I don’t see mode. Do you have any other VPN tunnels on this device?
Ensure you have the remote subnet correct on the Meraki. Also check the route table on your VPC and ensure it’s pointing to your Virtual Private Gateway. Hopefully that helps a little bit!
Excellent post. thanks!
Hi, did you try to connect a vpn client to the site-to-site network? We have successfully added a site to site vpn from out work site to AWS and a client to work site client vpn. Have you connected the 2 so that those with client VPN access can also connect to AWS from home.
I attempted to get this working awhile back and could never reach AWS resources. I believe the transitive peering rule that AWS has comes into play. You might consider looking into using vASA, CSR, or OpenVPN in AWS for all of your VPN connections.
Been trying to get this to work for a few days now. Must be missing some crucial step. I think the article is well written and looks simple enough to follow. Have had some trouble getting the VPC wizard to complete. It hits the last step, then gives some message about not being able to finish, then rolls everything back. So I’ve been trying to set it all up from scratch on the AWS side. It looks like I’ve got everything set up right on the AWS side, and it looks like I just need to add the one line to the Meraki side. I’m wanting to use the scheme 10.1.1.0/24 on my side and the scheme 10.10.1.0/24 on the AWS side. But when I get everything set up and have an EC2 instance running, I can’t ping it. A trace route can’t seem to get past the MX’s internal address. I noticed in the article that it ignores a lot of information given in the AWS VPN downloaded configuration, such as the inside addresses for the customer gateway and virtual private gateway, and the next hop for static routing. I’m assuming that’s because it is not applicable for the Meraki scenario but have been wondering if I need to do something with that to get this running.
What error does it show when using the wizard? There are a ton of pieces when building a VPC manually so hard to provide much assistance on that…
On the Meraki side you’re just concerned with remote subnet, what you want it to talk to on the Meraki side, the pre-shared key for authentication, and remote public IP address. The Meraki support team are pretty knowledgeable on setting up the VPN though so open a case with them to double check the config if you think something is missing on the Meraki side.
Tried changing the subnet on the AWS side to 192.168.192.0/24, and was able to build a VPC using the wizard that way. Apparently there was some kind of collision happening between the other subnet I was trying to use and the existing, EC2 classic instances I’m running. Still having trouble with the VPN connection though. I’ll take your advice and open a case with Meraki. Thanks.
Hi Mike,
Thanks for this helpful page, I have an issue and i found this page, i hope you can guide me for this:
I want my Meraki’s logs, but . since Meraki only gives logs with CSV format, i though maybe i can save ( redirect) Meraki’s logs into EC2 or S3 AWS, and use it from S3 in different format for my needs.
But i don’t know how?
If you or any body in this page could help or advice me, I really appreciate it.
Currently, there isn’t an event log API available through Meraki so I don’t think S3 would be possible. They do have remote syslog capabilities though. https://documentation.meraki.com/zGeneral_Administration/Monitoring_and_Reporting/Syslog_Server_Overview_and_Configuration
Thanks for the quick response, I already have that article, But the reason I need the raw logs for other usage. Do you recommend remote logs for that ?
Is it possible to connect 2 VPC from different regions through the Meraki?
So I followed your guide and I was able to get my VPN connection to establish between my AWS tenant and my MX60. However, I am unable to ping in either direction. I’m sure I’m missing something silly but I can’t figure it out. I’ve verified that all my internal subnets are listed on my VPC connection. Any ideas?
Do you have ICMP allowed in the security group for your EC2 instance?
I do. I actually have it setup with an open security group currently (allow any any).
Were you ever able to figure out a way to configure a second tunnel using the same subnet in Meraki
I believe this is still an issue with Non-Meraki VPN peers. You can run a virtual Meraki appliance in AWS now though for the easy Meraki VPN.