Skip to content

Site-to-Site VPN Configuration

Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN

Site-to-site VPN configuration in Meraki appliances enables secure connectivity between multiple network locations through encrypted tunnels over the internet. This functionality supports hub-and-spoke, mesh, and custom VPN topologies for connecting branch offices, data centers, and remote sites with centralized management and automatic failover capabilities. Site-to-site VPN is essential for organizations requiring secure inter-site connectivity, centralized resource access, and scalable network expansion while maintaining security and performance across distributed locations.

Diagram

appliance (meraki.domains.organizations.networks)

Section titled “appliance (meraki.domains.organizations.networks)”
NameTypeConstraintMandatoryDefault Value
vpn_site_to_site_vpnClass[vpn_site_to_site_vpn]No

vpn_site_to_site_vpn (meraki.domains.organizations.networks.appliance)

Section titled “vpn_site_to_site_vpn (meraki.domains.organizations.networks.appliance)”
NameTypeConstraintMandatoryDefault Value
modeChoicehub, none, spokeYes
hubsList[hubs]No
subnetsList[subnets]No
subnet_natBooleantrue, falseNo

hubs (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn)

Section titled “hubs (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn)”
NameTypeConstraintMandatoryDefault Value
use_default_routeBooleantrue, falseNo
hub_network_nameStringmin: 1, max: 127Yes

subnets (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn)

Section titled “subnets (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn)”
NameTypeConstraintMandatoryDefault Value
local_subnetStringRegex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$Yes
use_vpnBooleantrue, falseNo
natClass[nat]No

nat (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn.subnets)

Section titled “nat (meraki.domains.organizations.networks.appliance.vpn_site_to_site_vpn.subnets)”
NameTypeConstraintMandatoryDefault Value
enabledBooleantrue, falseNo
remote_subnetStringNo

Example-1: The example below demonstrates site-to-site VPN configuration using tested YAML configuration from pipeline fixtures.

meraki:
domains:
- name: "!env domain"
administrator:
name: "!env org_admin"
organizations:
- name: "!env org"
networks:
- name: "!env network_name"
product_types:
- appliance
- switch
- wireless
- camera
- sensor
- cellularGateway
appliance:
vpn_site_to_site_vpn:
mode: hub
# Site-to-Site VPN Translation has to be enabled by Meraki Support
# for this setting to work.
# Otherwise, "VPN subnet translation is not supported for this network" is returned.
# subnet_nat: True
subnets:
- local_subnet: "192.168.20.0/24"
use_vpn: true
- local_subnet: "!env hub_server_subnet"
use_vpn: true