Third-Party VPN Peers Configuration
Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Organization-wide settings
External VPN Integration Management
Section titled “External VPN Integration Management”Third-party VPN peers configuration in Meraki organizations enables secure connectivity with external VPN gateways from cloud providers, partner organizations, and non-Meraki network equipment. This functionality supports IPsec-based connections with customizable encryption policies, authentication methods, and network routing for hybrid cloud deployments and multi-vendor network integration. Third-party VPN peers are essential for organizations requiring connectivity with AWS, Azure, Google Cloud, or other external networks while maintaining centralized management and consistent security policies.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”appliance (meraki.domains.organizations)
Section titled “appliance (meraki.domains.organizations)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| third_party_vpn_peers | List | [third_party_vpn_peers] | No |
third_party_vpn_peers (meraki.domains.organizations.appliance)
Section titled “third_party_vpn_peers (meraki.domains.organizations.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 127 | Yes | |
| public_ip | IP | No | ||
| public_hostname | String | min: 1, max: 127 | No | |
| private_subnets | List | String[Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$] | Yes | |
| local_id | String | min: 1, max: 127 | No | |
| remote_id | String | min: 1, max: 127 | No | |
| ipsec_policies | Class | [ipsec_policies] | No | |
| ipsec_policies_preset | Choice | default, aws, azure, umbrella, zscaler | No | |
| secret | String | min: 1, max: 127 | Yes | |
| ike_version | Choice | 1, 2 | No | |
| network_tags | List | String[min: 1, max: 255] | No |
ipsec_policies (meraki.domains.organizations.appliance.third_party_vpn_peers)
Section titled “ipsec_policies (meraki.domains.organizations.appliance.third_party_vpn_peers)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ike_cipher_algo | List | Choice[aes128, aes192, aes256, des, tripledes] | No | |
| ike_auth_algo | List | Choice[md5, sha1, sha256] | No | |
| ike_prf_algo | List | Choice[default, prfmd5, prfsha1, prfsha256] | No | |
| ike_diffie_hellman_group | List | Choice[group14, group5, group2, group1] | No | |
| ike_lifetime | Integer | min: 1, max: 604800 | No | |
| child_cipher_algo | List | Choice[aes128, aes192, aes256, des, null, tripledes] | No | |
| child_auth_algo | List | Choice[md5, sha1, sha256] | No | |
| child_pfs_group | List | Choice[disabled, group14, group5, group2, group1] | No | |
| child_lifetime | Integer | min: 1, max: 86400 | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates third-party VPN peers configuration.
This configuration establishes secure connections with external VPN gateways including cloud providers and non-Meraki equipment. The example includes IPsec policies, authentication settings, encryption parameters, and routing configurations for hybrid cloud and multi-vendor network integration.
The first VPN peer (“AWS VPN 01”) exemplifies simplified cloud integration using “public_hostname: vpn.example.com” for FQDN-based connectivity (supporting dynamic IP resolution), “private_subnets” arrays defining accessible networks behind the remote gateway (192.168.1.0/24, 192.168.2.0/24), and robust authentication through “local_id: 192.168.128.10” and “remote_id: 1.1.1.2” for IPsec identity verification. The configuration employs “ipsec_policies_preset: aws” for AWS-optimized encryption settings (eliminating manual policy configuration), “secret: supersecretkey” for pre-shared key authentication, “ike_version: 2” for modern IKEv2 protocol support with enhanced security and performance, and “network_tags” (Production, VPN) for organizational classification and policy application.
The second peer (“AWS VPN 02”) demonstrates granular IPsec policy customization using “public_ip: 1.1.1.100” for static IP connectivity, while implementing detailed “ipsec_policies” with Phase 1 IKE parameters including “ike_cipher_algo: aes128” for encryption, “ike_auth_algo: sha256” for authentication hashing, “ike_prf_algo: prfsha256” for pseudo-random function, “ike_diffie_hellman_group: group14” for key exchange (2048-bit MODP group), and “ike_lifetime: 3600” seconds for security association duration. Phase 2 IPsec parameters mirror Phase 1 with “child_cipher_algo: aes128”, “child_auth_algo: sha256”, “child_pfs_group: group14” for Perfect Forward Secrecy, and “child_lifetime: 3600” for data encryption key refresh intervals, ensuring optimal security posture and compliance with enterprise cryptographic standards.
meraki: domains: - name: "!env domain" administrator: name: "!env org_admin" organizations: - name: "!env org" appliance: third_party_vpn_peers: - name: AWS VPN 01 public_hostname: vpn.example.com private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.10" remote_id: "1.1.1.2" ipsec_policies_preset: aws secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN" - name: AWS VPN 02 public_ip: 1.1.1.100 private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.100" remote_id: "1.1.1.200" ipsec_policies: ike_cipher_algo: - aes128 ike_auth_algo: - sha256 ike_prf_algo: - prfsha256 ike_diffie_hellman_group: - group14 ike_lifetime: 3600 child_cipher_algo: - aes128 child_auth_algo: - sha256 child_pfs_group: - group14 child_lifetime: 3600 secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN"