How to Create a Site-To-Site VPN Topology
Creating a site-to-site VPN was once one of the most challenging configurations that network admins needed to apply to security appliances. Thankfully, Cisco has made that process easy.
Creating a site-to-site VPN with Cisco MX firewalls is now super easy. So, let's discuss how you would connect two business locations together with Meraki firewalls.
Why Do You Need a Site-to-Site VPN?
It's not uncommon for small or medium-sized businesses to have multiple locations. But, of course, connecting two offices in different geographic areas is not easy. It's not like you can stretch a giant cable between those two sites. In this case, you would use a site-to-site VPN to connect both of those offices.
The other option would be to use third-party services to share information between two different sites. For instance, a lot of businesses are moving to Office 365 or Google Workspaces. Both services include file sharing and syncing services. So employees could use those services to share files with each other.
There are a lot of glaring holes in that example, though. For instance, what if someone from office A needs to access a self-hosted service in office B that isn't available through the internet? How do IT admins configure things like Active Directory to communicate between both offices? Etc.
The primary goal of connecting two branch locations of a business together with a site-to-site VPN is to make those offices think they are connected to the same network. A VPN connection can achieve that by creating a secure tunnel over the public internet between both locations. Any information sent through that secure tunnel can't be snooped on while in transit by outside parties. In that way, a site-to-site VPN is like stretching a giant, virtual cable between both offices to connect them together.
By using a site-to-site VPN, different geographically located offices can communicate with each other, thinking they are connected to the same physical network. For instance, let's assume that you have two sites separated by 500 miles between them. We will call them site A and site B. Site A has a 192.168.1.0/24 address space, while site B has a 192.168.10.0/24 address space. Though both offices are separated by 500 miles, site A could ping 192.168.10.35 (assuming there is a device with that IP address) and receive a response. This wouldn't be possible without a VPN connection between those two locations.
An Overview of How to Create Site-to-Site Topologies [VIDEO]
In this video, Knox Hutchinson covers how to configure Site-to-Site VPNs. This is one of the most complicated configurations in all of security appliance configurations. Between IPSec protocols, Phase 1 and Phase 2 tunneling, encryption, hashing, and authentication options, it can be overwhelming. What you'll learn here will simplify the process substantially.
How to Connect Two Business Locations With a VPN
Creating a site-to-site VPN with a Cisco MX firewall is very easy. Let's walk through this process.
First, log into the web interface of the MX firewall that you want to configure. Once you are logged into the web interface, click the 'Security and SD-WAN' option from the navigation panel on the left-hand side of the website. Then click on 'Site-to-Site VPN.'
On the 'Site-to-site VPN' configuration page, you will see three different options:
Select either Hub or Spoke from that list depending on how you want to configure our site-to-site VPN.
After making your selection, a new set of options will appear. For example, if you choose the Hub option, a list of your internally configured subnets will appear in this list. Choose the subnets that you want to have access to that VPN.
If you choose Spoke, you will also see a configuration option in that list to select another hub, or MX firewall, to connect to.
Make your selections from those additional options. Then press the 'Save Changes' button. After pressing the Save button, the Meraki firewalls will automatically configure the site-to-site VPN.
You are not done yet, though. When you configure the site-to-site VPN for a Cisco MX firewall, it only configures one leg of that VPN. In other words, traffic can only flow in one direction. So, you need to log into each network hub and complete those same steps so that data can flow in both directions. That's because the other firewalls do not yet know to allow traffic to flow back the other direction through the VPN.
If you are creating a spoke VPN connection, make sure to choose the same hub on both networks. Otherwise, that VPN connection may not work as intended.
After you configure all your networks that need to be connected with that VPN connection, you are done. It's that easy! Meraki will automatically apply any needed network changes and configurations to both firewalls and establish that VPN connection for you.
Don't forget that this process only configures the site-to-site VPN between two or more Cisco MX firewalls, though. This process does not actually configure firewall rules or any other security settings. You will still need to configure additional security settings at each firewall separately.
What is the Difference Between a Hub or Spoke VPN in a Cisco MX firewall?
When you configure a site-to-site VPN connection for Cisco MX firewalls, you are given the option of creating a Hub or Spoke connection. What are the differences between those two VPN connection types, and why would you choose one connection type over another?
A Hub connection is a mesh network. When you configure a Cisco MX firewallto use a Hub site-to-site VPN, that Meraki firewall will connect to all other Hubs in the network. On the other hand, a spoke connection only connects to a single hub.
The most common type of site-to-site VPN connection is a hub connection. That's because a hub connection will connect all existing parts of a network together. That means different geographic sites can utilize other off-site network resources and communicate with each other. For Cisco MX firewalls, this is the most straightforward configuration option, too.
As we mentioned, though, a spoke VPN only connects two hubs together. Why would you use a spoke connection over a mesh VPN connection?
Let's say that an off-site finance department needs to access a file share that is physically located at the corporate headquarters for a business. Only that financing department should have access to that file share, though. No other departments in that business should be able to access that information. In this case, you would use a spoke connection. A spoke connection will let that remote finance department and the corporate headquarters communicate, but all other business locations couldn't access that file share.
MWe went over a lot of information, however, we barely scratched the surface of what Meraki MX firewalls are capable of. If you are interested in learning more about the Cisco MX line of devices, consider taking a complete training course on Cisco Meraki Firewalls.
Configuring site-to-site VPNs with a Cisco MX firewall is easy. First, select 'Site-to-site VPN' from the 'Security & SD-WAN' menu. Then choose whether you want a hub or spoke VPN connection. Finally, choose which subnets you want to allow access to that VPN connection and save your settings.
That process creates a connection that data can only travel in one direction with. So, repeat the steps above for each MX firewall hub in your various business networks.