Recently I received a Cisco Meraki Z3 from my work to be used at home as a teleworker gateway. If you don’t know what a Meraki Z3 it’s a teleworker gateway that provides enterprise-class firewall, VPN gateway and router all in one.
My coworkers that work with Cisco Meraki day in a and day out love this equipment.
In this article, we are going to create a site to site VPN with the Meraki Z3 and Azure VPN gateway.
The following steps are completed in PowerShell and take roughly 45 minutes to complete due to the creation time required for the VPN gateway.
Create Resource Group
Create a new resource group in your Azure subscription.
Create vNet and Subnets
Create a virtual network with two subnets. The first subnet called “default” is where your endpoints in Azure will reside. But you need to create another subnet called “GatewaySubnet”, it must be this name, or else Azure won’t treat it as a subnet gateway.
Create local network gateway (on-premise)
Create the local network gateway which specifies the specifics of your on-premises location. In the case of this example, my lab has three subnets I want to expose. The GatewayIpAddress parameter refers to your public IP address for your on-premises location.
Create Public IP address
Create the public IP address for your VPN gateway to be able to communicate back to your on-premises location.
Create the VPN Gateway Connectivity
Create the VPN gateway connectivity by assigning the subnet and public IP address.
Create the VPN gateway
We will combine all the previous steps to create a VPN gateway. Building a VPN gateway can take some time to complete, for me, it took on average 30 minutes to complete.
Configure the connection
Create and configure the connection between Azure and your on-site router. I used the cmdlet New-Guid to randomly generate a PassPhrase and output me the results so that I can use it in the next step to configuring pfSense.
Cisco Meraki Steps
Configure site-to-site VPN
- Login to your Meraki dashboard https://dashboard.meraki.com
- Go to Teleworker gateway and select site-to-site VPN
- On the site-to-site VPN page, under type select Hub (Mesh)
- Further down on the page, under VPN settings, select the appropriate local networks that will be available for the VPN connection.
- Continuing on the same page, under Organization-wide settings, Add a peer.
- The non-Meraki VPN peers will appear and add the required information:
- Name: provide name for the connection
- Public IP: public IP of the Azure VPN gateway
- Private subnet: Azure virtual network address space (do not enter individual subnets)
- IPsec policies: click on default and change the preset to Azure
- Preshared secret: enter the preshared key you used to create the Azure VPN gateway.
- Go to Teleworker gateway and select VPN status
- Go to Non-Meraki peer, ensure the status color is green.
- If the status is not green, go to the event log to troubleshoot.
I ran into a few issues during the setup and here are some of the errors I did and how I corrected it.
- Azure VPN gateway was set to route-based. I had to delete the VPN gateway and recreate the gateway with the VPN type as Policy-based
- When configuring the site-to-site VPN on the Meraki dashboard, ensure the private subnets equals the address space configuration for your Azure virtual network.