Configuring a VPN Tunnel with a Cisco Meraki MX Security appliance - Metasys - LIT-12011279 - General System Information - Metasys System - 10.1

Network and IT Guidance Technical Bulletin

Product name
Metasys System
Document type
Technical Bulletin
Document number
Revision date

About this task

To configure the MX Security Applicance, complete the following steps:


  1. In a web browser, go to Create a portal user account.
  2. In the Meraki dashboard, create and manage your Organization or Organizations. When you first log in, an organization with your company's name is automatically created. You can manage and rename this organization and create additional organizations in the Organization menu.
    In the Cisco Meraki user interface, a single dashboard administers one or more organizations. An organization represents a customer or customer site. Each organization contains one or more networks. A network typically consists of the MX Security Appliances on that common network. For more information about creating and managing organizations, refer to Meraki's Creating a Dashboard Account and Organization page.
  3. Add portal users to your organization. In the Meraki dashboard, go to Organization > Configure > Administrator. For more information about adding and managing portal users and administrators, refer to this Meraki's Managing Dashboard Administrators and Permissions page.
    After you add a user to your organization, they receive an email with a dashboard access link.
  4. Add Cisco Meraki MX Security Appliances to your organization. In the Meraki dashboard, go to Organization > Configure > Inventory. For more information, refer to this Meraki's Using the Organization Inventory page.
  5. Create a new network and add the MX Security Appliance to the network. In the Meraki dashboard, go to Organization > Configure > Create network. For more information, refer to this Meraki reference: here.
  6. Deploy the MX Security Appliance to the site. The MX Security Appliance is placed between broadband router/modem providing connectivity to the internet and the IP-based devices.
    1. Configure the router/modem into bridge mode. The user interface of the modem or router is specific to the manufacturer and your Internet Service Provider (ISP). Consult the modem/router and your ISP documentation for further details.

    2. Connect an Ethernet cable from the Internet port of the MX Security Appliance to the router/modem.
    3. Connect the IP devices to the LAN ports of the MX Security Appliance. If there are more than four IP devices, they need to be connected to a separate switch and the switch needs to be connected to one of the LAN ports of the MX Security Appliance.
    4. Power on the MX Security Appliance. Verify that the front LED lights of the MX Security Appliance are solid white.
  7. Configure the client VPN by following these steps:
    1. In the Meraki dashboard, hover over Network in the left pane. Select the desired network.
    2. Go to Teleworker > Monitor >Appliance Status. Record the public IP address that appeared in the WAN field or the dynamic hostname in the Hostname field. You can use the IP address or the hostname when configuring the VPN client.
    3. Go to Teleworker Gateway > Configure > Addresses & VLANs. Configure the internal BAS network. For a simple BAS network, enter the existing subnet information by clicking on the default network entry under the Routing section.
      Note: The MX IP address should be an available static IP address within the existing BAS network and the MX IP address should be used as the default gateway for all MX Security Appliances, including the network engines and the /ODS.
    4. Go to Teleworker Gateway > Configure > Client VPN. Enable the Client VPN Server. In a simple BAS network, ensure the Client VPN subnet used here is in a different subnet range than the internal BAS network used previously. The Client VPN subnet should be unique with respect to all other BAS network subnets. For more information about the client VPN settings including VPN user management, refer to Meraki's Client VPN Overview page.
  8. Setup and configure user MX Security Appliances for VPN access using Meraki's Client VPN OS Configuration page.
    Note: A VPN connection can be established to the MX Security Appliance using standard VPNclient software that is included with supported Windows® operating systems, Apple® operating systems, or Android™ operating systems.

    If you encounter the Windows 809 error in the Windows Event log on a Windows client MX Security Appliance, you may need to add the following key to the Registry:

    Key: Server:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgentRegValue: AssumeUDPEncapsulationContextOnSendRule

    Type: DWORD

    Data Value: 2

    After you create this key, you may need to reboot the Windows client MX Security Appliance.