Skip to content
Network as Code

VPN Site-to-Site IPsec Peers SLA Policies

Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Organization-wide settings

SLA Policy Management for IPsec VPN Peers

Section titled “SLA Policy Management for IPsec VPN Peers”

VPN site-to-site IPsec peers SLA policies define health-monitoring endpoints used to evaluate the performance of third-party VPN tunnels. Each SLA policy specifies a target URI that the MX appliance periodically probes to measure reachability, latency, jitter, and packet loss. When a third-party VPN peer references an SLA policy (via “sla_policy_name”), the appliance uses the probe results to make automatic failover decisions for grouped tunnels, ensuring traffic is steered to the healthiest path.

Diagram

Section titled “Diagram”
Diagram

Classes

Section titled “Classes”

appliance (meraki.domains.organizations)

Section titled “appliance (meraki.domains.organizations)”
NameTypeConstraintMandatoryDefault Value
vpn_site_to_site_ipsec_peers_slasList[vpn_site_to_site_ipsec_peers_slas]No

vpn_site_to_site_ipsec_peers_slas (meraki.domains.organizations.appliance)

Section titled “vpn_site_to_site_ipsec_peers_slas (meraki.domains.organizations.appliance)”
NameTypeConstraintMandatoryDefault Value
nameStringmin: 1, max: 127Yes
uriStringmin: 1, max: 1024Yes

Examples

Section titled “Examples”

Example-1: The example below demonstrates IPsec peers SLA policy configuration combined with third-party VPN peers that reference the SLA policy for tunnel health monitoring and failover.

The “vpn_site_to_site_ipsec_peers_slas” section defines one or more SLA policies at the organization level. Each policy requires a “name” (used as a reference key by VPN peers) and a “uri” (the HTTP endpoint the appliance will probe). The third-party VPN peers then reference the SLA policy by its name using the “sla_policy_name” field, which ties probe results to tunnel failover logic for the associated tunnel group.

meraki:
  domains:
    - name: "!env domain"
      administrator:
        name: "!env org_admin"
      organizations:
        - name: "!env org"
          appliance:
            vpn_site_to_site_ipsec_peers_slas:
              - name: sla_policy_1
                uri: http://checkthisendpoint.com
            third_party_vpn_peers:
              - name: SSE Tunnel Primary
                public_ip: 146.112.67.39
                private_subnets:
                  - "0.0.0.0/0"
                secret: "!env tunnel_secret"
                ike_version: "2"
                local_id: primary@sse-tunnel.example.com
                ipsec_policies:
                  ike_auth_algo:
                    - sha1
                  ike_cipher_algo:
                    - aes256
                  ike_diffie_hellman_group:
                    - group14
                  ike_prf_algo:
                    - prfsha1
                  ike_lifetime: 14400
                  child_auth_algo:
                    - sha1
                  child_cipher_algo:
                    - aes256
                  child_pfs_group:
                    - disabled
                  child_lifetime: 3600
                network_tags:
                  - SSE
                is_route_based: false
                priority_in_group: 1
                group_active_active_tunnel: true
                group_number: 1
                group_failover_direct_to_internet: false
                sla_policy_name: sla_policy_1