search cancel

Web Security Service Legacy IPSEC Connectivity Instructions - Cisco Meraki

book

Article ID: 174307

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Like other vendor firewalls, you configure the Cisco Meraki firewall to perform a Site-to-Site VPN connection to the Web Security Service. However, Meraki firewalls always forces NAT-T even when the device connects directly from a public IP address. Furthermore, Meraki firewalls do not support certificates. Therefore, the procedure to route web traffic to the Web Security Service differs from other vendors.

Environment

Deployment Notes

  • The Web Security Service is a third-party peer, which means the settings are organizationwide.
  • Use of the Meraki firewall Access Method requires the All Ports license. 
  • Firewalls belonging to the same organization (account in their cloud portal) cannot have the overlapping ACL destination networks. To forward all internet traffic to the Web Security Service, you must configure the ACL subnet to 0.0.0.0/0. This leads to the following restrictions:
    • There can only be one third-party peer (the datacenter VIP) configured in an organization.
    • All Meraki firewalls in the organization can talk to that one datacenter only.
    • All Meraki firewalls in the organization must use the same pre-shared key (PSK). So these sites should be configured in the WSS portal with the same PSK.
    • Because there can be only datacenter VIP configured in the organization, you cannot configure second datacenter for failover purposes.
    • Because all Meraki firewalls in the organization will connect to the single third-party peer (DC) configured in the organization, you must add a Location for each Meraki firewall.
  • To work around some of the limitations above, separate your firewalls across multiple organizations.
  • Do not send Auth Connector traffic to the Web Security Service.
  • You can create a designated host or subnet that tests the IPsec connectivity to the Web Security Service without interrupting the production traffic. After successful testing, you then add production subnets.
  • The best practice is to set the rekey at the specified lifetime interval instead of for lifebytes.

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that
value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.

Resolution

Prerequisites

  • At least one Meraki firewall is deployed as a security device. 
  • Based on the deployment notes above, determine if you are configuring a single Meraki device for all connections or deploying a Meraki device in multiple geographical locations as required for your network security architecture.
  • Have access credentials to the Meraki cloud-based interface. 
  • Know the subnet (local network) that is to connect to the Web Security Service. 
  • Identify and record the VIP of the closest Web Security Service datacenter

Procedure

  1. Access the Meraki web-based interface: https://dashboard.meraki.com; log in.
  2. Select Security Appliance > Configure > Site-to-Site VPN
  3. Select a network.
    • If you have a single existing network that already applies to the traffic that will route to the Web Security Service, proceed to the next step.
    • If you have multiple existing networks: From the Network drop-down list, select an existing network to configure.
    • You want to create a new network that applies to another static route.
      Tip: This requires an unassigned device and its serial number.
      1. ​From the Network drop-down list, select Create a New Network. The interface displays the network
        creating screen.
      2. Name the network.
      3. For Network Type, select Security Appliance.
      4. Accept the Default Meraki Configuration.
      5. Click Add Devices; complete the on-screen instructions.
      6. Click Create Network.
      7. Return to the Security Appliance > Configure > Site-to-Site VPN screen.
  4. Return to the Security Appliance > Configure > Site-to-Site VPN screen.
  5. In the Site-to-Site VPN > Type area, select Hub (Mesh). This expands the screen to more VPN parameters.
  6. Set the VPN settings. 
    1. Enter theb that routes to the Web Security Service.
    2. From the Use VPN drop-down list, select Yes.
    3. For NAT Traversal, select Automatic.
  7. Define the Non-Merkai VPN peer, which is the Web Security Service datacenter.
    Tip: Remember, you must use the same VIP for all of your Meraki configurations. You
    cannot connect to multiple datacenters.

    1. Name the peer. Because this is the Web Security Service datacenter location, consider using a geological
      name.
    2. Enter the Web Security Service datacenter Public IP (VIP).
    3. The Private Subnet must be 0.0.0.0/0.
    4. Accept the Default IPsec Policies.
    5. Enter the Preshared Secret key (PSK) used to by the Web Security Service to authenticate the tunnel.
      Refer to your planning sheet.

      Tip: The PSK must be at least eight characters and cannot use special
      characters.
  8. Accept the default Site-to-Site Inbound and Outbound firewall rules. The outbound rule must allow all; the inbound
    rule cannot be changed.
  9. Click Save Changes.

Monitoring the VPN

After you create a Location in the Web Security Service portal (Next Selection below) and the Meraki device begins to communicate with the cloud service, you can return to the interface monitor the status of the VPN connection. 

  • Select Security Appliance > Monitor > VPN Status.

Attachments