# Cisco Meraki ## Step 1 - Creating a new branch connection [Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/) Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation). Choose **IPSec** **Protocol**, and click **Continue**. Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps. Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control. {% hint style="info" %} You may return to the configuration via the **Edit** button of your Branch at any time. {% endhint %} {% hint style="info" %} **Example of configuration:** * **Shared Secret** - Create a new strong password * **Public IP** - IP of your Cisco * **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds) * **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds) * **Dead Peer Detection Delay** - 30 seconds * **Encryption (Phase 1)** - aes256 * **Encryption (Phase 2)** - aes256 * **Integrity (Phase 1)** - sha256 * **Integrity (Phase 2)** - sha256 * **Diffie-Hellman Groups (Phase 1)** - 14 - modp2048 * **Diffie-Hellman Groups (Phase 2)** - 14 - modp2048 {% endhint %} ## Step 2 - Creating a new site-to-site connection Log in to the [Cisco Meraki Admin console](https://account.meraki.com/login), and go to **Security & SD WAN** > **Site-to-site VPN**. {% hint style="info" %} Make sure that the **local LAN** you wish to access via GoodAccess is participating in the VPN. {% endhint %} Scroll down to the **Organization-wide settings** > **Non-Meraki VPN peers**, and click **Add a peer**. Give the peer a name and set the configuration as follows: * **IKE version** - IKEv2 * **Public IP** - IP of your GoodAccess Gateway * **Private subnets** - Subnet of your GoodAccess Gateway * **Preshared secret** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection) * **IPsec policies** - Click **Default** and set the configuration as follows: {% hint style="info" %} Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection). {% endhint %} #### Phase 1 * **Encryption** - AES256 * **Authentication** - SHA256 * **Diffie-Hellman group** - 14 * **Lifetime (seconds)** - 28800 #### Phase 2 * **Encryption** - AES256 * **Authentication** - SHA256 * **PFS group** - 14 * **Lifetime (seconds)** - 3600 Click **Update**, and **Save** to finish the configuration. You have now successfully connected your device to GoodAccess. {% hint style="warning" %} **Firewall rules** Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports: * **UDP 500** * **UDP 4500** {% endhint %} {% hint style="info" %} **You may check the status of the connection in:** * **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled). * **Cisco Meraki:** Go to **Security & SD WAN > VPN Status > Non-Meraki peer**. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://support.goodaccess.com/configuration-guides/branch-connector/cisco-meraki.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.