# Cisco Meraki

## Step 1 - Creating a new branch connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Branch at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration:**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of your Cisco
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 14 - modp2048&#x20;
* **Diffie-Hellman Groups (Phase 2)** - 14 - modp2048&#x20;
  {% endhint %}

## Step 2 - Creating a new site-to-site connection

Log in to the [Cisco Meraki Admin console](https://account.meraki.com/login), and go to **Security & SD WAN** > **Site-to-site VPN**.

{% hint style="info" %}
Make sure that the **local LAN** you wish to access via GoodAccess is participating in the VPN.
{% endhint %}

Scroll down to the **Organization-wide settings** > **Non-Meraki VPN peers**, and click **Add a peer**.

Give the peer a name and set the configuration as follows:

* **IKE version** - IKEv2
* **Public IP** - IP of your GoodAccess Gateway
* **Private subnets** - Subnet of your GoodAccess Gateway
* **Preshared secret** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection)
* **IPsec policies** - Click **Default** and set the configuration as follows:

{% hint style="info" %}
Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection).
{% endhint %}

#### Phase 1

* **Encryption** - AES256
* **Authentication** - SHA256
* **Diffie-Hellman group** - 14
* **Lifetime (seconds)** - 28800

#### Phase 2

* **Encryption** - AES256
* **Authentication** - SHA256
* **PFS group** - 14
* **Lifetime (seconds)** - 3600

Click **Update**, and **Save** to finish the configuration.

You have now successfully connected your device to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports:

* **UDP 500**
* **UDP 4500**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **Cisco Meraki:** Go to **Security & SD WAN > VPN Status > Non-Meraki peer**.
  {% endhint %}