Configuring a site-to-site VPN tunnel with Coro Network and Cisco Meraki

As part of a virtual office, Coro includes the ability for customers to configure VPNs together with site-to-site VPN tunnels.

This guide describes how to establish a site-to-site VPN tunnel between Coro and a Cisco Meraki appliance through the Cisco Meraki platform, and how to configure Coro to integrate with Cisco Meraki's firewall.

To configure a Cisco Meraki site-to-site VPN tunnel, complete the following processes:

  1. Configure Cisco Meraki to allow traffic from inside and outside the network
  2. Configure Coro to integrate with Cisco Meraki's firewall

Prerequisites

Before you start, make sure you have the following:

  • Access as an admin user to the Coro console for your workspace
  • An active subscription (or trial) for the Coro Network module
  • Access to the Cisco Meraki Dashboard

Configuring Cisco Meraki

Configure Cisco Meraki to allow traffic from inside and outside the network:

Important

The Cisco Meraki configuration method is the same whether Virtual MX (VMX) is hosted on Azure/AWS or is a physical device.

  1. Sign into your Cisco Meraki Dashboard.
  2. Select Network :

    Network

  3. Select your preferred VMX appliance:

    Select VMX

  4. Go to Security & SD-WAN > Appliance status :

    Appliance Status

  5. Select Uplink and note the PUBLIC IP address value:

    Uplink

  6. Go to Security & SD-WAN > Addressing and VLANs :

    Addressing and VLANs

  7. Under Routing , select the LAN Config table:

    LAN Config

    The Configure Single LAN dialog appears:

    Configure Single LAN

  8. Note the Subnet and VLAN interface IP values, which are set to your internal IP address.

    Subnet

  9. Go to Security & SD-WAN > Firewall :

    Firewall

  10. For both Inbound rules and Outbound rules , make sure Source is set to Any for the Allow policy. Leave the Deny policy at their default values:

    Actions

    Important

    If your setup requires changing these settings, ensure they do not block Coro's IP address.

  11. Go to Security & SD-WAN > Site-to-site VPN :

    Site-to-site VPN

  12. Configure Site-to-site VPN and VPN settings options:
    • Type : Select Hub (Mesh) :

      Type

    • Local networks : Set VPN mode to "Enabled" for the Main subnet :

      Main subnet

    • NAT Traversal : Select Automatic :

      NAT Traversal

    • Remote VPN Participants : Leave as default.
    • BGP & OSPF settings : Leave as default.
  13. Configure Organization-wide settings :
    1. Select Add a peer :

      A new row is added to the Non-Meraki VPN peers table:

      Add a peer

    2. Enter the following settings:
      • Name : Enter a suitable peer connection name.
      • IKE Version : Select "IKEv2".
      • IPSec Policies : Select the Default link.

        An IPsec policy configuration dialog appears:

        Update

        1. In the Phase 1 section, make sure your settings match the following:
          Field Value
          Encryption Select "AES-256"
          Authentication Select "SHA256"
          Pseudo-random Function Select "SHA256"
          Diffie-Hellman group Select "14"
          Lifetime (seconds) Enter "28800"
        2. In the Phase 2 section, make sure your settings match the following:
          Field Value
          Encryption Select "AES-256" and "AES-128"
          Authentication Select "SHA256" and "SHA1"
          PFS group Select "Off"
          Lifetime (seconds) Enter "28800"
        3. To save your settings, select Update :

          The IPSec Policies link now displays as Custom:

          IPSec Policies

      • Public IP/Hostname : Enter the Coro public IP address shown in the Coro console.

        To retrieve the Coro public IP address:

        1. Sign into your Coro workspace .
        2. Select Control Panel :

          Control Panel

        3. Select Network :

          Network

          The Coro public IP address displays on the Virtual Office page:

          Public IP

      • Local ID : Enter the public IP address of Cisco Meraki's VMX appliance retrieved here .
      • Remote ID : Enter the Coro public IP address retrieved for Public IP/Hostname .
      • Private subnets : Enter "10.8.0.0/16, 10.9.0.0/16".
      • Preshared key : Enter a shared password (secret) or generate a new one .
      • Availability : Select "All networks".
      • Inbound firewall logging : Select Enable to allow for more granular control over network security and traffic management.
      • Site-to-site outbound firewall : Make sure the policy is set to "Allow":

        Inbound firewall logging

  14. Select Save Changes to save your settings:

    Save changes

    Allow one to two minutes for your changes to take effect.

Configuring Coro Network

Configure Coro with details of your site-to-site tunnel and firewall:

  1. Sign into your Coro workspace .
  2. Select Control Panel :

    Control Panel

  3. Select Network :

    Network

  4. Select the Settings tab:

    Settings

  5. Select + ADD to add a new site-to-site tunnel configuration:

    Add tunnel

  6. Configure your Site details :
    Field Value
    Site name Enter a suitable name for your site-to-site tunnel
    Special characters and spaces are not supported
    Site description Enter a suitable short description for the tunnel
    Special characters and spaces are not supported
    Remote gateway IP Enter Cisco Meraki's public IP address obtained here
    Remote network IP Enter Cisco Meraki's subnet obtained here
    Preshared key Enter the preshared key used here
    Lifetime key Enter "28800"
  7. In the same dialog, configure the Firewall settings :
    Field Value
    Remote Network Mask Enter Cisco Meraki's subnet obtained here
    IKE Version Select "IKEv2"
    Phase 1 Encryption Select "AES256-SHA256-D14"
    Phase 2 Encryption Select "AES256-SHA256-D14"
    Aggressive Mode Select "No"
  8. To save your configuration, select SAVE .