Summary: This guide provides a step-by-step configuration for establishing a Site-to-Site VPN between a Cisco IOS-XE router using a Static Virtual Tunnel Interface (SVTI) and a Meraki security appliance. This configuration uses IKEv2 and RSA signatures for authentication, which is more secure than using pre-shared keys.
First, we need to generate an RSA key pair on the IOS-XE router. This key will be used for authentication.
crypto key generate rsa general-keys label VPN-KEY modulus 2048
Next, we'll configure the IKEv2 proposal, policy, and keyring.
! IKEv2 Proposal - Defines the encryption and integrity algorithms
crypto ikev2 proposal MERAKI_PROPOSAL
encryption aes-cbc-256
integrity sha256
group 14
! IKEv2 Policy - Ties the proposal to a VRF (optional)
crypto ikev2 policy MERAKI_POLICY
proposal MERAKI_PROPOSAL
! IKEv2 Keyring - Defines the peer and authentication method
crypto ikev2 keyring MERAKI_KEYRING
peer MERAKI
address <MERAKI_PUBLIC_IP>
authentication rsa-sig
! We will get the public key from the Meraki dashboard later
Now, we'll configure the IPsec transform set and profile.
! IPsec Transform Set - Defines the encryption and integrity for the data plane
crypto ipsec transform-set MERAKI_TRANSFORM_SET esp-aes-256 esp-sha256-hmac
mode tunnel
! IPsec Profile - Ties everything together
crypto ipsec profile MERAKI_PROFILE
set transform-set MERAKI_TRANSFORM_SET
set ikev2-profile MERAKI_IKEV2_PROFILE
Finally, we'll create the SVTI.
interface Tunnel0
ip address 169.254.0.1 255.255.255.252
tunnel source <IOS_XE_PUBLIC_IP>
tunnel mode ipsec ipv4
tunnel destination <MERAKI_PUBLIC_IP>
tunnel protection ipsec profile MERAKI_PROFILE
Add a static route to the remote subnet through the tunnel interface.
ip route <MERAKI_SUBNET> <SUBNET_MASK> Tunnel0
show crypto key pubkey-chain rsa label VPN-KEY
On the IOS-XE router, you can use the following commands to verify the VPN is up:
show crypto ikev2 sa
show crypto ipsec sa
show ip interface brief Tunnel0
ping <MERAKI_DEVICE_IP>
On the Meraki dashboard, the VPN status should show as green.