Meraki

Community

Article / IPsec policy incorrect? (Configuring Site to Site VPN tunnels to Azure VPN Gateway)

mmzzaq
Here to help
‎Sep 28 2020 8:24 AM
‎Sep 28 2020 8:24 AM

Article / IPsec policy incorrect? (Configuring Site to Site VPN tunnels to Azure VPN Gateway)

In this article: https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site_to_Site_VPN_tunnels_to_Azure_V...

you see Meraki choosing a IPsec policy preset called 'Azure'. This policy does a Phase 2 Lifetime of 3600.

 

In this article: https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

at 'IKE Phase 2 (Quick Mode) parameters' you see Azure doing a RouteBased Phase 2 Lifetime of 27000. IPsec policy's are not editable in Azure.

 

Either the Meraki article or the IPsec template which you select in the Meraki device is incorrect (Phase 2 Lifetime should be 27000 on Meraki's side instead of 3600).

 

Note: Azure does not support PolicyBased in combination with Meraki so PolicyBased settings are not applicable (see 'Validated VPN devices and device configuration guides' in the Azure article).

4 Replies 4
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 28 2020 12:11 PM
‎Sep 28 2020 12:11 PM

Although the lifetimes are different, there is typically no problem with this. In IKEv1 the Phase 1 and Phase 2 lifetimes  are negotiated to the lower of both values.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
In response to KarstenI
mmzzaq
Here to help
‎Sep 29 2020 3:42 AM
‎Sep 29 2020 3:42 AM

Incorrect, the link to Azure will not work with a P2 lifetime of 3600.

0 Kudos
In response to mmzzaq
KarstenI
Kind of a big deal
Kind of a big deal
‎Sep 29 2020 11:26 AM
‎Sep 29 2020 11:26 AM

Are you shure that the problem is based on the lifetime? I‘m pretty sure that I run default lifetimes (which are either 1h or 8h; although this is not on the MX) with Azure connections and they are negotiated correctly.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
mmzzaq
Here to help
‎Sep 30 2020 1:23 AM
‎Sep 30 2020 1:23 AM

Yes on my MX64 there was an error in the event log stating the P2 lifetime mismatch and the link wasn't working (unless the link wasn't working due to other reasons).

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.