Third-Party VPN Peers Configuration
Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Organization-wide settings
External VPN Integration Management
Section titled “External VPN Integration Management”Third-party VPN peers configuration in Meraki organizations enables secure connectivity with external VPN gateways from cloud providers, partner organizations, and non-Meraki network equipment. This functionality supports IPsec-based connections with customizable encryption policies, authentication methods, and network routing for hybrid cloud deployments and multi-vendor network integration. Third-party VPN peers are essential for organizations requiring connectivity with AWS, Azure, Google Cloud, or other external networks while maintaining centralized management and consistent security policies.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”appliance (meraki.domains.organizations)
Section titled “appliance (meraki.domains.organizations)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| third_party_vpn_peers | List | [third_party_vpn_peers] | No |
third_party_vpn_peers (meraki.domains.organizations.appliance)
Section titled “third_party_vpn_peers (meraki.domains.organizations.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 127 | Yes | |
| public_ip | IP | No | ||
| public_hostname | String | min: 1, max: 127 | No | |
| private_subnets | List | String[Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$] | Yes | |
| local_id | String | min: 1, max: 127 | No | |
| remote_id | String | min: 1, max: 127 | No | |
| ipsec_policies | Class | [ipsec_policies] | No | |
| ipsec_policies_preset | Choice | default, aws, azure, umbrella, zscaler | No | |
| secret | String | min: 1, max: 127 | Yes | |
| ike_version | Choice | 1, 2 | No | |
| network_tags | List | String[min: 1, max: 255] | No | |
| is_route_based | Boolean | true, false | No | |
| priority_in_group | Integer | min: 1, max: 2 | No | |
| group_active_active_tunnel | Boolean | true, false | No | |
| group_number | Integer | min: 1, max: 999 | No | |
| group_failover_direct_to_internet | Boolean | true, false | No | |
| sla_policy_name | String | min: 1, max: 127 | No |
ipsec_policies (meraki.domains.organizations.appliance.third_party_vpn_peers)
Section titled “ipsec_policies (meraki.domains.organizations.appliance.third_party_vpn_peers)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ike_cipher_algo | List | Choice[aes128, aes192, aes256, des, tripledes] | No | |
| ike_auth_algo | List | Choice[md5, sha1, sha256] | No | |
| ike_prf_algo | List | Choice[default, prfmd5, prfsha1, prfsha256] | No | |
| ike_diffie_hellman_group | List | Choice[group14, group5, group2, group1] | No | |
| ike_lifetime | Integer | min: 1, max: 604800 | No | |
| child_cipher_algo | List | Choice[aes128, aes192, aes256, des, null, tripledes] | No | |
| child_auth_algo | List | Choice[md5, sha1, sha256] | No | |
| child_pfs_group | List | Choice[disabled, group14, group5, group2, group1] | No | |
| child_lifetime | Integer | min: 1, max: 86400 | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates third-party VPN peers configuration.
This configuration establishes secure connections with external VPN gateways including cloud providers and non-Meraki equipment. The example includes IPsec policies, authentication settings, encryption parameters, and routing configurations for hybrid cloud and multi-vendor network integration.
The first VPN peer (“AWS VPN 01”) exemplifies simplified cloud integration using “public_hostname: vpn.example.com” for FQDN-based connectivity (supporting dynamic IP resolution), “private_subnets” arrays defining accessible networks behind the remote gateway (192.168.1.0/24, 192.168.2.0/24), and robust authentication through “local_id: 192.168.128.10” and “remote_id: 1.1.1.2” for IPsec identity verification. The configuration employs “ipsec_policies_preset: aws” for AWS-optimized encryption settings (eliminating manual policy configuration), “secret: supersecretkey” for pre-shared key authentication, “ike_version: 2” for modern IKEv2 protocol support with enhanced security and performance, and “network_tags” (Production, VPN) for organizational classification and policy application.
The second peer (“AWS VPN 02”) demonstrates granular IPsec policy customization using “public_ip: 1.1.1.100” for static IP connectivity, while implementing detailed “ipsec_policies” with Phase 1 IKE parameters including “ike_cipher_algo: aes128” for encryption, “ike_auth_algo: sha256” for authentication hashing, “ike_prf_algo: prfsha256” for pseudo-random function, “ike_diffie_hellman_group: group14” for key exchange (2048-bit MODP group), and “ike_lifetime: 3600” seconds for security association duration. Phase 2 IPsec parameters mirror Phase 1 with “child_cipher_algo: aes128”, “child_auth_algo: sha256”, “child_pfs_group: group14” for Perfect Forward Secrecy, and “child_lifetime: 3600” for data encryption key refresh intervals, ensuring optimal security posture and compliance with enterprise cryptographic standards.
Example-2: The example below demonstrates third-party VPN peers with tunnel grouping, failover, and SLA policy integration.
This configuration showcases advanced VPN peer features for high-availability deployments. “is_route_based: false” indicates policy-based VPN routing rather than route-based. Peers are organized into numbered tunnel groups using “group_number: 1” and “group_active_active_tunnel: true” for active-active redundancy within a group. The “priority_in_group” field (1 for primary, 2 for secondary) determines preference order during failover. “group_failover_direct_to_internet: false” ensures traffic does not fall back to direct internet when all tunnels in the group are down. The “sla_policy_name” field references an IPsec Peers SLA policy (defined under “vpn_site_to_site_ipsec_peers_slas”) to monitor tunnel health and drive automatic failover decisions based on latency, jitter, or loss thresholds.
meraki: domains: - name: "!env domain" administrator: name: "!env org_admin" organizations: - name: "!env org" appliance: third_party_vpn_peers: - name: AWS VPN 01 public_hostname: vpn.example.com private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.10" remote_id: "1.1.1.2" ipsec_policies_preset: aws secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN" - name: AWS VPN 02 public_ip: 1.1.1.100 private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.100" remote_id: "1.1.1.200" ipsec_policies: ike_cipher_algo: - aes128 ike_auth_algo: - sha256 ike_prf_algo: - prfsha256 ike_diffie_hellman_group: - group14 ike_lifetime: 3600 child_cipher_algo: - aes128 child_auth_algo: - sha256 child_pfs_group: - group14 child_lifetime: 3600 secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN"Example-2:
meraki: domains: - name: "!env domain" administrator: name: "!env org_admin" organizations: - name: "!env org" appliance: vpn_site_to_site_ipsec_peers_slas: - name: sla_policy_1 uri: http://checkthisendpoint.com third_party_vpn_peers: - name: SSE Tunnel Primary public_ip: 146.112.67.39 private_subnets: - "0.0.0.0/0" secret: "!env tunnel_secret" ike_version: "2" local_id: primary@sse-tunnel.example.com ipsec_policies: ike_auth_algo: - sha1 ike_cipher_algo: - aes256 ike_diffie_hellman_group: - group14 ike_prf_algo: - prfsha1 ike_lifetime: 14400 child_auth_algo: - sha1 child_cipher_algo: - aes256 child_pfs_group: - disabled child_lifetime: 3600 network_tags: - SSE is_route_based: false priority_in_group: 1 group_active_active_tunnel: true group_number: 1 group_failover_direct_to_internet: false sla_policy_name: sla_policy_1 - name: SSE Tunnel Secondary public_ip: 146.112.83.39 private_subnets: - "0.0.0.0/0" secret: "!env tunnel_secret" ike_version: "2" local_id: secondary@sse-tunnel.example.com ipsec_policies: ike_auth_algo: - sha1 ike_cipher_algo: - aes256 ike_diffie_hellman_group: - group14 ike_prf_algo: - prfsha1 ike_lifetime: 14400 child_auth_algo: - sha1 child_cipher_algo: - aes256 child_pfs_group: - disabled child_lifetime: 3600 network_tags: - SSE is_route_based: false priority_in_group: 2 group_active_active_tunnel: true group_number: 1 group_failover_direct_to_internet: false sla_policy_name: sla_policy_1Dashboard Location: Security and SD-WAN > Configure > Site-to-site VPN > Organization-wide settings
External VPN Integration Management
Section titled “External VPN Integration Management”Third-party VPN peers configuration in Meraki organizations enables secure connectivity with external VPN gateways from cloud providers, partner organizations, and non-Meraki network equipment. This functionality supports IPsec-based connections with customizable encryption policies, authentication methods, and network routing for hybrid cloud deployments and multi-vendor network integration. Third-party VPN peers are essential for organizations requiring connectivity with AWS, Azure, Google Cloud, or other external networks while maintaining centralized management and consistent security policies.
Diagram
Section titled “Diagram”
Classes
Section titled “Classes”appliance (meraki.domains.organizations)
Section titled “appliance (meraki.domains.organizations)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| third_party_vpn_peers | List | [third_party_vpn_peers] | No |
third_party_vpn_peers (meraki.domains.organizations.appliance)
Section titled “third_party_vpn_peers (meraki.domains.organizations.appliance)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| name | String | min: 1, max: 127 | Yes | |
| public_ip | IP | No | ||
| public_hostname | String | min: 1, max: 127 | No | |
| private_subnets | List | String[Regex: ^(?i:any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?)(,(any|(\d{1,3}\.){3}\d{1,3}(\/\d{1,2})?))*$] | Yes | |
| local_id | String | min: 1, max: 127 | No | |
| remote_id | String | min: 1, max: 127 | No | |
| ipsec_policies | Class | [ipsec_policies] | No | |
| ipsec_policies_preset | Choice | default, aws, azure, umbrella, zscaler | No | |
| secret | String | min: 1, max: 127 | Yes | |
| ike_version | Choice | 1, 2 | No | |
| network_tags | List | String[min: 1, max: 255] | No |
ipsec_policies (meraki.domains.organizations.appliance.third_party_vpn_peers)
Section titled “ipsec_policies (meraki.domains.organizations.appliance.third_party_vpn_peers)”| Name | Type | Constraint | Mandatory | Default Value |
|---|---|---|---|---|
| ike_cipher_algo | List | Choice[aes128, aes192, aes256, des, tripledes] | No | |
| ike_auth_algo | List | Choice[md5, sha1, sha256] | No | |
| ike_prf_algo | List | Choice[default, prfmd5, prfsha1, prfsha256] | No | |
| ike_diffie_hellman_group | List | Choice[group14, group5, group2, group1] | No | |
| ike_lifetime | Integer | min: 1, max: 604800 | No | |
| child_cipher_algo | List | Choice[aes128, aes192, aes256, des, null, tripledes] | No | |
| child_auth_algo | List | Choice[md5, sha1, sha256] | No | |
| child_pfs_group | List | Choice[disabled, group14, group5, group2, group1] | No | |
| child_lifetime | Integer | min: 1, max: 86400 | No |
Examples
Section titled “Examples”Example-1: The example below demonstrates third-party VPN peers configuration.
This configuration establishes secure connections with external VPN gateways including cloud providers and non-Meraki equipment. The example includes IPsec policies, authentication settings, encryption parameters, and routing configurations for hybrid cloud and multi-vendor network integration.
The first VPN peer (“AWS VPN 01”) exemplifies simplified cloud integration using “public_hostname: vpn.example.com” for FQDN-based connectivity (supporting dynamic IP resolution), “private_subnets” arrays defining accessible networks behind the remote gateway (192.168.1.0/24, 192.168.2.0/24), and robust authentication through “local_id: 192.168.128.10” and “remote_id: 1.1.1.2” for IPsec identity verification. The configuration employs “ipsec_policies_preset: aws” for AWS-optimized encryption settings (eliminating manual policy configuration), “secret: supersecretkey” for pre-shared key authentication, “ike_version: 2” for modern IKEv2 protocol support with enhanced security and performance, and “network_tags” (Production, VPN) for organizational classification and policy application.
The second peer (“AWS VPN 02”) demonstrates granular IPsec policy customization using “public_ip: 1.1.1.100” for static IP connectivity, while implementing detailed “ipsec_policies” with Phase 1 IKE parameters including “ike_cipher_algo: aes128” for encryption, “ike_auth_algo: sha256” for authentication hashing, “ike_prf_algo: prfsha256” for pseudo-random function, “ike_diffie_hellman_group: group14” for key exchange (2048-bit MODP group), and “ike_lifetime: 3600” seconds for security association duration. Phase 2 IPsec parameters mirror Phase 1 with “child_cipher_algo: aes128”, “child_auth_algo: sha256”, “child_pfs_group: group14” for Perfect Forward Secrecy, and “child_lifetime: 3600” for data encryption key refresh intervals, ensuring optimal security posture and compliance with enterprise cryptographic standards.
meraki: domains: - name: "!env domain" administrator: name: "!env org_admin" organizations: - name: "!env org" appliance: third_party_vpn_peers: - name: AWS VPN 01 public_hostname: vpn.example.com private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.10" remote_id: "1.1.1.2" ipsec_policies_preset: aws secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN" - name: AWS VPN 02 public_ip: 1.1.1.100 private_subnets: - "192.168.1.0/24" - "192.168.2.0/24" local_id: "192.168.128.100" remote_id: "1.1.1.200" ipsec_policies: ike_cipher_algo: - aes128 ike_auth_algo: - sha256 ike_prf_algo: - prfsha256 ike_diffie_hellman_group: - group14 ike_lifetime: 3600 child_cipher_algo: - aes128 child_auth_algo: - sha256 child_pfs_group: - group14 child_lifetime: 3600 secret: "supersecretkey" ike_version: "2" network_tags: - "Production" - "VPN"