Complete Guide: Configuring IPSec VPN between Palo Alto Firewall & Meraki MX Security Appliance
This article will show you how to configure an IPSec VPN tunnel between a Palo Alto firewall (all PANOS versions) and Meraki MX security appliance. Our comprehensive guide includes IPSec VPN setup for static & dynamic IP endpoints, Full tunnel VPN configuration, Split tunnel VPN configuration, special considerations for Full & Split tunnel modes, IPSec Phase 1 - IKE gateway & crypto policies, IPSec Phase 2 – Tunnel encryption algorithms & authentication plus more.
Key Topics:
Palo Alto Firewall Setup
- Step 1 – Create a Tunnel Interface
- Step 2 – Configure IKE Crypto Profile (IKEv1 - Phase 1)
- Step 3 – Configure IKE Gateway
- Step 4 – Configure IPSec Crypto Profile – (IKE Phase 2)
- Step 5 – Create IPSec Tunnel
- Step 6 – Configure VPN Routing (Remote Site Traffic)
- Step 7 – Configure Security Policies (IKE/IPSec & Remote Site Traffic)
Meraki MX Security Appliance Setup
- Step 1 – Enable Site-to-Site VPN
- Step 2 – Enable VPN Mode for Local Networks
- Step 3 – Configure Non-Meraki VPN Peer, IKE Version, Auth ID, Subnets & Preshared Secret
- Step 4 – Configure IPSec Policies (Phase 1 & Phase 2)
- Step 5 – Split Tunnel and Full Tunnel Mode
- Step 6 - Initiate and Test the VPN Tunnel
- Summary
This article assumes both Palo Alto firewall and Meraki MX are fully configured to allow local clients access to the internet. We’ll first begin with the configuration of the Palo Alto firewall and then work on the Meraki MX appliance.
Visit our Palo Alto Firewall section for more articles covering Palo Alto technologies.
Step 1 – Create a Tunnel Interface
Under Network, select Interfaces then the Tunnel menu option. The firewall will now show all configured tunnel interfaces. The interface ‘tunnel’, as shown below, by default exists on all firewalls: