Configure Meraki to Azure Site to Site VPN

0

Lately, I have been playing around a lot with Azure as there is a lot of momentum, development, and enthusiasm around the platform.  Since I run the Meraki MX security device at home, I wanted to play around with the site to site VPN functionality from Meraki to Azure.  Meraki is notoriously easy to setup with most functions and the site to site VPN is pretty straightforward.  However, there were a few little caveats/requirements that I encountered with Azure on the site to site VPN configuration.  These weren’t difficult to overcome and were related more to my lack of experience with setting up Azure networking and the requirements of the virtual networking configuration on the Azure side.  Let’s look at how to Configure Meraki to Azure Site to Site VPN.

Configure Meraki to Azure Site to Site VPN

The configuration of Azure site to site VPN involved configuring:

  • Azure vNet network
  • Configuring an address space – This address space will need to encompass your subnet and your Gateway subnet (we will explain this below).
  • Gateway subnet – This is a specific subnet used by the virtual network gateway that are used by the VPN gateway services. When you create a gateway subnet, it must be named ‘GatewaySubnet’. Naming a subnet ‘GatewaySubnet’ tells Azure where to create the gateway services. If you name the subnet something else, your VPN gateway configuration will fail.  The size of the GatewaySubnet that you specify depends on the VPN gateway configuration that you want to create. While it is possible to create a GatewaySubnet as small as /29, it is recommended that you create a larger subnet that includes more addresses. Using a larger gateway subnet allows for enough IP addresses to accommodate possible future configurations.
  • You have to configure an External IP address for the Azure VPN to use as the WAN address to connect the Meraki site to site VPN.

Configure Azure Address Space and Gateway Subnet

We are going to assume for the purposes of this post, you have already setup an Azure vnet.  However, we need to give attention to the Address space as this was one area that gave me fits at first.  The Address space must contain both the regular subnet AND the Gateway subnet.  In other words, the network space you create is basically a supernet that includes both the subnets you create for subnet and Gateway subnet.  Hopefully the screenshots will help with this.

Setup-Azure-vnet-Address-space Configure Meraki to Azure Site to Site VPN

Setup Azure vnet Address space

Notice our Subnets.  As you can see, I have setup a subnet and a Gateway Subnet.  You can only have one Gateway subnet, so you see it greyed out below.

Azure-vnet-Subnets-Gateway-Subnets-for-VPN Configure Meraki to Azure Site to Site VPN

Azure vnet Subnets Gateway Subnets for VPN

To step back though, let’s look at creating the Gateway subnet.  As mentioned in the outset, the name has to be GatewaySubnet for it to work correctly.  Your Address range also must fall in the address space you created earlier.

Create-Azure-Gateway-Subnet-for-site-to-site-VPN Configure Meraki to Azure Site to Site VPN

Create Azure Gateway Subnet for site to site VPN

Create Azure Virtual Network gateway for site to site VPN

Now that we have our address space, subnet, and gateway subnet in place, let’s look at actually creating the Azure Virtual Network Gateway.  Hit the green + sign in the Azure portal.  Search for virtual network or similar and you should see the Virtual network gateway listed.

Search-for-Azure-Virtual-Network-Gateway-in-Marketplace Configure Meraki to Azure Site to Site VPN

Search for Azure Virtual Network Gateway in Marketplace

Choose-to-create-the-Azure-Virtual-Network-Gateway Configure Meraki to Azure Site to Site VPN

Choose to create the Azure Virtual Network Gateway

Since the Meraki can only use the IKE1 VPN type, we need to create a Policy-based VPN.  This will be compatible with the Meraki VPN.  Also, we need to create a public ip address for the connecting partner.  Choose the Create new and we can provision the IP.

Create-the-Azure-Virtual-Network-Gateway Configure Meraki to Azure Site to Site VPN

Create the Azure Virtual Network Gateway

After naming the new public IP resource, we can create it.

Create-the-public-Azure-Virtual-Network-Gateway-address Configure Meraki to Azure Site to Site VPN

Create the public Azure Virtual Network Gateway address

Once we have everything populated, note at the very bottom the timeframe it takes to provision a new virtual network gateway – up to 45 minutes.  So this is definitely one you want to kick off and go grab some coffee, etc.

Finalizing-Azure-Virtual-Network-Gateway-creation Configure Meraki to Azure Site to Site VPN

Finalizing Azure Virtual Network Gateway creation

All we have left to do on the Azure side is configure the connection for the remote site (our on premise Meraki MX security device in my case).

Setup Connection from newly created Azure virtual network gateway

Click the Azure virtual network gateway and choose Connections.

Setup-Azure-virtual-network-gateway-connection Configure Meraki to Azure Site to Site VPN

Setup Azure virtual network gateway connection

Here we setup the actual connection to our on premise Meraki device.  Choose the Site-to-site (IPsec) connection type.  Also, we click teh Local network gateway to configure the IP address we will connect to from Azure. Also important, enter the shared key passphrase which needs to be a strong password.

Configuring-new-Azure-virtual-network-gateway-connection Configure Meraki to Azure Site to Site VPN

Configuring new Azure virtual network gateway connection

Setting up the local network gateway is straightforward.  We simply need to provide a name and IP Address.  Also, configure the local on premise Address space that you want to connect with the local network gateway.

Configure-the-peer-Azure-site-to-site-VPN-IP-address Configure Meraki to Azure Site to Site VPN

Configure the peer Azure site to site VPN IP address

With everything populated, we are ready to create the connection.

Enter-Shared-Key-and-create-the-Azure-virtual-network-gateway-connection Configure Meraki to Azure Site to Site VPN

Enter Shared Key and create the Azure virtual network gateway connection

Configuring your Meraki site to site VPN to Azure

On the Meraki side of things, we have just a few considerations to get the Azure VPN to work.  Choose Security appliance >> Site-to-site VPN.

On-the-Meraki-click-Security-Appliance-and-Site-to-site-VPN Configure Meraki to Azure Site to Site VPN

On the Meraki click Security Appliance and Site-to-site VPN

Here I chose the Hub (Mesh) architecture.

Click-to-create-a-Hub-topology- Configure Meraki to Azure Site to Site VPN

Click to create a Hub topology

Choose which subnets you want to be able to participate and present to the VPN.

Choose-subnets-to-participate-in-Azure-VPN Configure Meraki to Azure Site to Site VPN

Choose subnets to participate in Azure VPN

In the Non-Meraki VPN peers, we setup the connection to Azure.  There are a couple of fields here to pay attention to.  Be sure to choose Azure on the IPsec policies as this configures all the presets for Azure automatically.  Additionally, enter the same Preshared secret key you entered on the Azure side.  Another key here in the Private subnets be sure to enter the “supernet” address range subnet and not either the individual subnet or gateway subnet range.

Configure-the-Azure-subnet-Azure-policy-and-shared-key Configure Meraki to Azure Site to Site VPN

Configure the Azure subnet Azure policy and shared key

We can also setup both inbound and outbound rules for the site-to-site connection.

Create-inbound-and-outbound-rules-for-Azure-Meraki-VPN Configure Meraki to Azure Site to Site VPN

Create inbound and outbound rules for Azure Meraki VPN

Checking the Azure to Meraki Site to Site VPN status

To check the status of the Azure to Meraki site-to-site VPN, we click the Security appliance >> VPN status link.

Check-Azure-VPN-status Configure Meraki to Azure Site to Site VPN

Check Azure VPN status

Click the Non-Meraki peer button.  You should see a “green” light indicating the VPN is successfully established.

Meraki-to-Azure-VPN-working-correctly Configure Meraki to Azure Site to Site VPN

Meraki to Azure VPN working correctly

To check the Meraki logs, look at the Security appliance >> Event log.

Check-the-Meraki-log-for-Azure-VPN-status Configure Meraki to Azure Site to Site VPN

Check the Meraki log for Azure VPN status

We should see the “msg: IPsec-SA established” entry in the log.

Azure-to-Meraki-VPN-established Configure Meraki to Azure Site to Site VPN

Azure to Meraki VPN established

Thoughts

The steps to configure Meraki to Azure site to site VPN are pretty straightforward, however, be sure to pay attention to detail, as one setting amiss will cause the connection to fail.  Understanding the GatewaySubnet and the settings required there should help most who may run into issues with this part of the setup.  So far the test VPN I have established has been rock solid and no issues have been discovered in my test environment so far.