Skip to main content

Overview

This guide walks you through creating an IPSec tunnel to connect your Meter network with third-party firewalls, cloud providers, or other IPSec-compatible devices.

Who can modify this feature?

  • Partner
  • Company/Network Admins with write access
  • Meter Support

Prerequisites

Before creating an IPSec tunnel, ensure you have:
  1. The public IP address of your Meter Firewall (found under Hardware > Firewalls)
  2. The public IP address or FQDN of the remote gateway
  3. A pre-shared key agreed upon with the remote site administrator
  4. The remote network subnets that should be accessible
  5. The local VLANs you want to share over the tunnel

How to add an IPSec tunnel

  1. Log in to the Dashboard at dashboard.meter.com
  2. Navigate to Secure Tunnels > IPSec
  3. Click Add IPSec Tunnel
Add IPSec tunnel interface
A configuration panel will appear on the right-hand side of the screen.

Configuration options

Basic settings

SettingDescription
EnableToggle ON to enable the IPSec tunnel
NameDisplay name for the tunnel in the Dashboard
Local IP or FQDNPublic IP address of the Meter Firewall (found under Hardware > Firewalls)
Remote IP or FQDNPublic IP address or domain name of the remote gateway
InitiatorIf enabled, the Meter Firewall initiates the tunnel connection. If disabled, it assumes a role automatically
Preshared keyShared secret that must match on both ends of the tunnel

Network settings

SettingDescription
Remote NetworksSubnets on the other end of the tunnel that should be accessible
Local networksVLANs you want accessible over the IPSec tunnel
Client VPN BoundIf enabled, users connected to the Client VPN can also traverse the IPSec tunnel
Bound WAN portWAN interface for the IPSec tunnel (local IP should match the configured IP on this port)

Advanced settings

SettingDescription
Partner TypeSelect AWS or Azure when connecting to these cloud providers. Required when multiple tunnels with the same remote subnet exist.
IKE LifetimeHow long the IKE security association remains valid before renegotiation (typically 8 hours)
RekeyingYES: Meter initiates renegotiation. NO: Meter only responds to renegotiation requests
ReauthenticationYES: IKE SA is torn down and re-established at rekey. NO: IKE is only rekeyed

Dead Peer Detection (DPD)

DPD monitors the health of the IPSec tunnel and takes action if the remote peer becomes unreachable.
SettingDescription
DPD ActionAction to take when peer is unresponsive: Clear (delete IKE SAs), Hold (keep SAs but pause traffic), Restart (restart the tunnel)
DPD TimeoutHow often keepalive messages are sent
DPD DelayHow long to wait before performing the DPD action if no response

Tunnel types

TypeDescriptionUse case
Policy-basedDefault tunnel type. The remote end must also use a policy-based tunnel.General site-to-site connections
IPIP (route-based)Used for AWS and Azure connections.Cloud provider connectivity
When connecting to AWS or Azure, select the appropriate partner type to enable IPIP tunnel mode. This ensures compatibility with the cloud provider’s route-based tunnel requirements.

Troubleshooting

Tunnel not establishing

  • Verify the pre-shared key matches on both ends
  • Confirm the local and remote IP addresses are correct
  • Ensure the WAN firewall allows IPSec traffic (UDP 500, UDP 4500, and ESP protocol)
  • Check that the remote gateway is reachable

Tunnel up but no traffic

  • Verify local and remote network subnets are configured correctly
  • Confirm firewall rules allow traffic between the tunnel subnets
  • Check for overlapping IP addresses between local and remote networks
  • AutoVPN - Alternative for connecting multiple Meter networks
  • Client VPN - Enable remote user access
  • Firewall ACLs - Manage firewall rules for tunnel traffic

Need help?

If you run into any issues or have questions, please reach out to our Support Engineering team by opening a ticket via the Dashboard: https://dashboard.meter.com/support Last updated by Meter Support Engineering on 01/23/2026