Auto VPN is a proprietary technology developed by Meraki that allows you to quickly and easily build VPN tunnels between Meraki MX devices at separate branches of your network with just a few clicks. Auto VPN performs work typically required for manual VPN configurations with a cloud-based process. This article demonstrates how the Auto VPN mechanism works.
1. Definition:
- VPN Registry: This is the main server that allows Auto VPN implementation. It is a cloud service used to track contact information of all MX devices participating in Auto VPN for an organization.
- Hubs: Hubs are devices in the VPN topology that serve connections from a remote peer site (such as a spoke) to the hub and from the hub to the remote peer site. The hub also acts as a gateway for remote peer sites to communicate with each other through the hub.
- Peer: this refers to another MX device in the same organization that the local MX will form or has formed a VPN tunnel.
- Contact: This is the public IP and UDP port that MX will communicate with.
2. How Auto VPN works:
– MX1 and MX2 are the same organization. MX1 and MX2 are configured to participate in Auto VPN. Both MX1 and MX2 send Register Request messages to their VPN registry to share their own contact information and to obtain the contact information of the MX peers with which they will form VPN tunnels. Register Request message contains IP address and UDP port.
– VPN Registry sends Register Response messages to MXs with contact information of the peers that the MX will set up the tunnel for.
– Once information is shared with MXs about peers, a VPN tunnel will be formed from MX to MX. Meraki cloud already knows the subnet information of each MX, and the IP will be used to create the VPN tunnel. Cloud will push a key to the MXs to set up AES encrypted IPsec. Local subnet will be shared via VPN. During the process, VPN routes will be pushed from the dashboard to the MXs. Finally, the dashboard will push VPN peer information (information about subnets, IP tunnels) to each MX. Each MX will store this information in a separate routing table.
– Ports used to communicate with the VPN registry
- Source UDP port range from 32768-61000
- Destination UDP port 9350 or UDP port 9351
– Ports used for IPsec tunnel
- Source UDP port range from 32768-61000
- Destination UDP port ranges from 32768-61000
– VPN connection can be monitored at Security & SD-WAN > Monitor > VPN Status. The status of the MX is displayed, along with their subnet, latency, connection and routing being performed in the Auto VPN domain.
3. Configure Auto VPN:
– To enable site-to-site VPN between MX Security devices, log in to the Meraki dashboard and go to Security & SD-WAN > Configure > Site-to-Site VPNand choose between Hub or Spoke and Save again. That’s all it takes to enable the VPN connection. Auto VPN will handle all the settings and connection setup.
– If MX is configured as Hub. It will build VPN tunnels to all other MX Hubs in the Auto VPN domain (in the same dashboard organization). It will also build VPN tunnels to all Spoke MXs in the Auto VPN domain that have this MX configured as Hub. If all MXs in the Auto VPN domain are configured as Hubs then Auto VPN is structured full mesh.
– If MX is configured as Spoke, it only builds tunnels to those MXs configured as its Hubs. If the majority of MXs in an Auto VPN domain are configured as Spokes and some key locations (such as data centers or headquarters) are configured as Hubs, then the Auto VPN environment has a topology hub-and-speak.
– By default, all MXs in an Auto VPN domain (in the same dashboard organization) will only send traffic to an Auto VPN peer if the traffic is destined for the subnet contained in the Auto VPN domain. This is called ‘split-tunneling’ meaning VPN-subnet-bound traffic will be sent over the VPN and other traffic is routed normally over the primary MX WAN path. If an organization wants to route all traffic (including traffic not in the Auto VPN domain) through a specific Hub, this is called ‘full-tunneling’
– Note that full-tunneling Only affects client data and all Meraki management traffic will go out directly over the primary WAN.
– To configure full-tunneling in full mesh modeljust define one Exit hub from MXs in the Auto VPN domain.
– To configure full-tunneling in a hub-and-spoke modeljust set up ‘Default route’ with one or more Hubs.
– Select the subnet (local network) broadcasted via VPN. To do this, simply set the desired subnet as Yes in Use VPN and put No for unwanted subnets.
– Finally, save the changes.
!!! Thank you for following the article!!!
Xem tiếp...
