Meraki

NikolaiProniaev · ‎Oct 6 2017

This feature request was created long ago on Meraki Users Group forum.

Are there any updates regarding this topic? In our case IKEv2 needed for VPN to Azure.

PhilipDAth · ‎Oct 6 2017

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

But I'm with you - I don't see any reason for the industry to continue to use IKEv1. IKEv2 is better in every way. Death to IKEv1 I say!

MilesMeraki · ‎Oct 9 2017

I'm also waiting for the IPSEC encryption type of NULL to be supported 😞

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

VinAllen · ‎Nov 7 2018

Hi Philip, I know this post is more than a year old, and while I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

vin

How did I get stuck doing this stuff?

PhilipDAth · ‎Nov 7 2018

>... I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for >creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you >saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

If you use StrongSwan then you don't use the Microsoft policy based VPN. From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.

TimW · ‎Nov 7 2018

@PhilipDAth wrote:

If you use StrongSwan then you don't use the Microsoft policy based VPN. From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.

Indeed! Strongswan in this scenario is a replacement for the RRAS hosted solution Azure provides. The only downside is you're on your own for making StrongSwan highly available / redundant

We're in a spot where we'd gladly pay extra for the stability/simplicity that comes with the hosted solution versus us having to setup our own redundant strongswan VMs

I feel like its also unanimous by reading this thread that folks want the simpler implementation of IKEv2 on the MX line, instead of getting into the weeds of StrongSwan (or another appliance)

PhilipDAth · ‎Nov 7 2018

>The only downside is you're on your own for making StrongSwan highly available / redundant

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).

You can filter on "VPN Gateway":

https://azure.microsoft.com/en-us/status/history/

TimW · ‎Nov 7 2018

@PhilipDAth wrote:

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).

We were hit by the same 9/4 outage in the Texas datacenter (IIRC, we too got a credit back too!)

All good things to consider, and yes, we have crazy up-time on servers as well so it wouldn't likely be a problem. We live in a 'SLA required' world.

I couldnt agree more that StrongSwan is a good solution. Is it good for everyone? No. Could Meraki close the gap? Of course! 🙂

Ben · ‎Nov 16 2018

Although this feature is not available, we take our customer feedback seriously

Perhaps this person should get a look on this thread..

The same problem with sourcenat not beeing available on a 10.000$ - 20.000$ MX while a stupid Router of 100$ you can get in the supermarket does support this...

VinAllen · ‎Nov 7 2018

@PhilipDAth wrote:
You can connect to Azure using a policy based VPN (which can use IKEv1):
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

But I'm with you - I don't see any reason for the industry to continue to use IKEv1. IKEv2 is better in every way. Death to IKEv1 I say!

Sorry Philip, I meant to quote the post I referenced above....

How did I get stuck doing this stuff?

TimW · ‎Nov 7 2018

@VinAllen

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.

If you want to connect multiple S2S connections into Azure, this setup either requires a software termination (strongswan, etc, ugh) which then terminates multiple static routes from the Meraki, or another piece of hardware, like an on-premise Cisco 891 that supports dynamic routes using IKEv2.

Supporting IKEv2 dynamic routes to get a better OOB experience with multiple Meraki's + Azure would be ideal, since it would eliminate either 1) a virtual appliance thats needed to terminate static routes in Azure, or 2) additional on-premise hardware thats supports dynamic route-based vpns (specifically for folks with multiple s2s needs)

VinAllen · ‎Nov 7 2018

@TimW wrote:
Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.

Thanks Tim! As you can probably surmise from my signature, networking is not my forte, but alas here I am. I want to move our (small) office's network domain and Active Directory to Azure so I can retire the dinosaur currently running Windows Server 2008! Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

How did I get stuck doing this stuff?

TimW · ‎Nov 7 2018

@VinAllen wrote:
Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

A single s2s to Azure with employees coming into the Meraki will work just fine (prob some routes to configure in there, but nothing additional should be needed).

I like to think I encompass the 80%er's of Meraki's line up. We love them. This thread is quite literally the only gripe I have about the MX line up 🙂

Best of luck! Consider looking into the AD Connect tool for syncing up identities into Azure (we went though a similar migration a while back)

Ben · ‎Oct 10 2017

Still waiting for IKEv2..

Would be great as said in the MC topic that this community could also serve for features, questions, ...... towards Meraki.

A bit the same as the "wishes" feature in the dashboard.

VLAN999 · ‎Oct 10 2017

Yes please.. we've been waiting for this feature for past 2 years.

NikolaiProniaev · ‎Oct 16 2017

Would be nice to have a reply from vendor's side. I don't think that IKEv2 implementation on Meraki appliances is not technically possible.

PhilipDAth · ‎Oct 16 2017

I can't see that being true.

Take a Cisco ASA. You can configure it to do a VPN using either/or of IKEv1 and IKEv2. If you configure both then it tries to build the VPN using IKEv2 first and if that fails it tries IKEv1.

Shanec · ‎Oct 17 2017

I can't see them rushing to implement IKEv2 now that they have VMx100's in both AWS and Azure.

Reinout · ‎Oct 17 2017

What a disappointment.. I really liked the concept of Meraki, but since it still is not using IKEv2 we need to find something else. I know we can create a policy based VPN on azure, but then we have the next pitfalls (or am I misunderstanding this?):

	PolicyBased VPN Gateway	RouteBased VPN Gateway
Azure Gateway SKU	Basic	Basic, Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3
IKE version	IKEv1	IKEv2
Max. S2S connections	1	Basic/Standard: 10 HighPerformance: 30

So we want a route based vpn...

Not nice Meraki!

PhilipDAth · ‎Oct 17 2017

If you need more than one site to site VPN then your best option is the vMX at this point in time.

Reinout · ‎Oct 17 2017

If we can use it in stead of the MS Vnet Gateway and pricing is comparable, we can live with it, however, i can not find it in the Azure Portal. Also on the Meraki site there is not documentation (at least not that i can find) that explains about it for Azure, only for AWS...

PhilipDAth · ‎Oct 17 2017

This says it is available in October, so perhaps any day now ...

https://meraki.cisco.com/products/appliances/vmx100

Meraki_Rocks · ‎Jan 17 2018

This would be a great addition. Any update?

wey2go · ‎Jan 26 2018

It is available now. I have been given pricing for the license.

wey2go · ‎Jan 26 2018

Still want IKEv2 Support for MX. VMX is not cost effective when only a few sites connecting to Azure has MXs while the many more sites using other firewall/VPN vendors which are IKEv2 compliant.

wey2go · ‎Jan 26 2018

Such an irony that a Cisco company does not support IKEv2.

NikolaiProniaev · ‎Jan 26 2018

Hi wey2go,

Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?

wey2go · ‎Jan 26 2018

@NikolaiProniaev wrote:
Hi wey2go,
Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?

Still no IKEv2 Support for vMX. vMX is probably a good option if all your sites are using MX wanting to connect to Azure or AWS and capitalising in the SD-WAN, Mesh VPN and ease of cloud management.

Meraki should have IKEv2 Support for their MX.

meraki_ · ‎Jan 26 2018

I am meraki and I approve this feature request...

But really, please add this.

wey2go · ‎Jan 26 2018

When can we see IKEv2 Support in MX?

CloudBuilder · ‎Feb 8 2018

A date for IKEv2 support would be great.

Until then we can't use Meraki for Azure deployment of smaller customers.

Jeffmikers · ‎Feb 8 2018

We had to run Cisco ASAv appliances in our Azure tenant in order to terminate the IKEv1 tunnels from the branch office MX firewalls.

Otherwise we would have terminated the tunnels on the Azure VPN gateway.

Its really perplexing that IKEv2 isn't supported.

PhilipDAth · ‎Feb 8 2018

I wrote an article a while ago about how to use a low cost StrongSwan instance in Azure for terminating Meraki VPNs.

http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html

wey2go · ‎Feb 13 2018

Alternative with StrongArm or anything else is not practical if not the whole organisation using Meraki. Imagine you have 20 sites, all other sites have IKEv2 capable VPN and you being the only one with Meraki, unable to connect via IKEv2 to Azure.

BogdanC · ‎Feb 7 2018

I agree. Please add it.

meraki_L3 · ‎Feb 9 2018

As Meraki_L3 I can say this is a much needed feature. Come on guys! @meraki_

abeckman · ‎Feb 21 2018

I can't believe Meraki doesn't support IKEv2! We were looking at using Meraki's in a managed firewall service but cannot since they don't support IKEv2. Anything beyond basic VPN connectivity to Azure requires IKEv2. Is there any ETA on when this will be implemented? Meraki is a good fit for us and our clients if IKEv2 can be added.

wey2go · ‎Mar 2 2018

Sadly, no ETA. No news. No roadmap on IKE V2 support.

Need to re-consider in recommending MX to all my clients since IKE V2 is not supported.

wey2go · ‎Apr 14 2018

IKEv2 support is probably at the bottom of Meraki's to do list until more users create a stir on this. Please talk to you local Meraki rep and every Meraki channel you have to request for this feature.

Common @meraki_

Ben · ‎Apr 18 2018

Guys any idea if IkeV2 is available yet?

Cheers

PhilipDAth · ‎Apr 18 2018

Not available yet.

Ben · ‎Apr 19 2018

Called my sales rep and logged a ticket.

Curious on how they are going to respond at support.

Will keep this topic updated.

Cheers,

Ben

ClaytonMeyer · ‎May 30 2018

Another vote for IKEv2 support

TimW · ‎Jun 7 2018

Would love to see IKEv2 available on the Meraki's -- we have a need for this as well

fraya · ‎Jun 11 2018

I am currently evaluating SD-WAN vendors. Meraki is my preferred vendor but to meet all the technical requirements I require the VPN parameters to comply with NCSC's foundation grade policy as a minimum.

I would like AutoVPN to support IKE-v2, Diffie Helman Group 14 and a desired would be certificate based authentication or stronger Pre-Shared Key

grimm_j · ‎Jun 15 2018

This is something our organization wants so we can utilize a client VPN application. Hopefully this is on the short term radar!

chemdream · ‎Jun 26 2018

I am floored that Meraki MX's Auto VPN doesn't support IKEv2.

As of 6-6-2018, Azure put Meraki on their "incompatibility list" ...

IKEv2 is better in everyway. It was invented over a decade ago.

I was getting ready to upgrade 102 of our offices with Meraki MX65W's until I realized there was no IKEv2 support. Now we'll have to use Calyptix or possibly Unifi.

lpopejoy · ‎Jun 27 2018

Wow, really? Meraki on Azure incompatibility list? Do you have a link for that?

meraki_ · ‎Jun 27 2018

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

Ben · ‎Jul 3 2018

Perhaps we can all start submitting daily wishes into the dashboard "IkeV2"

JDA · ‎Aug 14 2018

Seems the guys at Meraki have been silent on this.

For the price of the license and hardware you would expect it to support IKEv2.

Is there any update on this at all?

wey2go · ‎Aug 14 2018

This silence is killing my sales leads for those when they need VPN to Azure. These are multi-sites where we are not able to change anything on the Azure side.

robfromdetroit · ‎Aug 15 2018

For azure, Meraki is pushing their azure virtual appliance for VPN.

https://meraki.cisco.com/products/appliances/vmx100

It's frustrating because many people just want to use Azure's built in VPN...

BBFred · ‎Aug 28 2018

So... we currently have (or had I should say) two site-to-site connections between our offices and Azure. Both locations use an MX84, and the site-to-site connections in Azure are configured as policy based, however one office does have a working connection and one office doesn't. I've already checked every single setting on both sides and it will not work, regardless of what we do. The most frustrating part is, this was configured over 1,5 years ago and worked fine all that time until a week ago!

Opening a case led to nothing but even more frustration, since all they're basically saying is: the connection with Azure is not supported by us, unless you use the vMX100 appliance, that means they are saying to just throw more money at the problem instead of actually fixing it!

This entire problem wouldn't even exist if IKEv2 was supported already! Yet now with the vMX100 being launched in Azure their incentive to start supporting IKEv2 just became even less, because they have just created a means to screw even more money out of already paying customers.

The worst thing is, I've recently signed a new lease for a bunch of new hardware replacing the old hardware we had... Noted that the hardware we used was also Meraki hardware and up to a week ago everything with Azure worked fine! (I.e. also with the new hardware the situation was working as we expected) Now suddenly everything has changed.

I'm going to explore my options to nullify or dissolve my lease contract, because regardless of what option I choose, I will have to pay more than I already do to get a working site-to-site connection to Azure and if that is the case then I'd rather have hardware that doesn't limit me in my options and supports things that should be supported by a long time already.

Sorry for my rant guys, but I'm done with Meraki.

PhilipDAth · ‎Aug 28 2018

You just sparked a memory for me.

About 2 weeks ago I had a customer suffer an outage between their Azure regions. Azure had a VNET outage, and it broke the Azure VPN gateway service. The outage showed up in their Azure console. They had to raise a ticket with Microsoft to get it fixed.

Have you tried raising a ticket with Azure Support?

BBFred · ‎Aug 29 2018

I have but it hasn't solved anything other than the following response:

Our about azure VPN page now lists Cisco meraki’s as “Not compatible”,
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

And so does Cisco's page:
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_P...

However please note the following as possible workarounds for this.

1.The Meraki VPN device cannot set a lifetime value in KB for Phase 2.
2.The drawback here is that policy-based tunnels require a one-to-one match against our lifetime values (both in seconds and KB) on both sides of the IPSec tunnel.
3.Based on mine and my team experience, working with Meraki devices located on-premise, tunnel sometimes connects fine and sometimes it goes down.
4.After working with different customer’s environment and running network captures, we identified the problem is when the Azure Gateway acts as initiator, we send the proposals and the Meraki device will be failing with policy match error.
5.Most of the customers try to setup the Quick Mode Security Association Life Time lower than 3600 so that they ensure the Meraki is always the initiator and the Azure Gateway is really flexible with this and will ignore the device didn’t send the LF in KB.
6.Currently, we don’t have an option from our side to edit the IKE/IPsec parameters.
7.Azure Gateway uses the IKE/IPsec values by default and cannot be changed.

As a workaround for connecting to a Cisco Meraki we offer a Virtual appliance.

I tried this proposed workaround, but sadly the tunnel still wouldn't come up, nor would a Meraki engineer support this idea. So in the end we've decided to let this site-to-site idea go and go explore the option of working with a virtual machine that runs something like pfSense or RouterOS to set up IKEv1 site-to-site connections and route them to the appropriate subnet.

danielpugh · ‎Oct 23 2018

just adding my +1 to this feature request

Ben · ‎Oct 29 2018

perhaps we should start adding wishes in the dashboard.. 😃

Sourcenat is also a very very very hard missed feature.. not sure if i'm the only one who needs it?

PhilipDAth · ‎Oct 29 2018

You would have more luck wishing for pizza (ps - actually give this a try).

HardusD · ‎Oct 30 2018

Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?

danielpugh · ‎Oct 31 2018

i raised a support ticket for our mx84

the answer was ... (show below) - in short nothing in the short term but we can "make a wish" (puts note in bottle and throws into the sea)..;-)

"Unfortunately, we do not have an ETA on when we start supporting IKEv2.

Although this feature is not available, we take our customer feedback seriously. We encourage you to use the Meraki dashboard to "make a wish" and submit a feature request. You can submit a feature request at the bottom of any dashboard page. Any wish that is made sends an email to our Product Managers and Development Teams. These wishes are taken into consideration and are used to help shape our product roadmaps. The most wished-for items are incorporated into product development. "

PhilipDAth · ‎Oct 31 2018

>Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?

Meraki never provide dates for un-released features.

TMRoberts · ‎Feb 15 2019

So ... Make a wish added .... we keep being notified to just 'make a wish' in Meraki to get the IKEv2 added so you can also use the AnyConnect client. We do have Meraki, BUT we are tired of seeing Windows security or network updates breaking the stupid Windows VPN client you have to use to connect in since "Microsoft" knows better than anyone else how your OWN VPN connection is configured ..... right, not!?!?! You can supposedly use AnyConnect IF, again, IF you are using the licensed Systems Manager .... and that's ONLY if you pay for that extra, and supposedly, but not natively using the AnyConnect client separately.

T Roberts
A+, Network+, MCP, Dell and CMNO

WillSparing · ‎Apr 30 2019

Request still alive. IKEv2 for Always on VPN would be nice..

ClaytonMeyer · ‎Apr 30 2019

I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature. You have to contact Meraki Support to enable. I've tried that twice and both times the Support person had no idea what I was talking about.

VinAllen · ‎Apr 30 2019

@ClaytonMeyer wrote:
I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature.

Correct me if I'm wrong, but doesn't the "S" in "Meraki SE" stand for Sales?

Just sayin'.

How did I get stuck doing this stuff?

danielpugh · ‎Apr 30 2019

I believe se = "systems engineer", although it's a partner qualification related to assisting AM (account manager).

wey2go · ‎Apr 30 2019

See: https://meraki.cisco.com/blog/2019/04/recap-meraki-quarterly-april-2019/

We also announced during the Quarterly that public betas are now available for an integration between the MX and Cisco Umbrella (similar to the just-launched MR/Umbrella integration) and for IKEv2. The latter includes support for route-based VPNs and stronger encryption algorithms for non-Meraki VPNs. To enable these betas, get in contact with Meraki Support.

So, it is available on Beta now!!!! Anybody testing it?

Signix · ‎May 2 2019

I just contacted the Meraki support.

I was asked to upgrade my firmware to beta and call them back to enable IKEv2.

Update is schedule for this evening. I will tell you how it worked.

WillSparing · ‎May 3 2019

I appreciate it! I'm a bit hesitant about it not being a general release, but we'll see how it goes for you!

NetworkFeller · ‎Jun 9 2019

@Signix any update on this?

Signix · ‎Jun 10 2019

Sorry. Everything went well. After updating the firmware I have access to IKE v2 parameters.

I had to configure my Azure VPN with powershell :

# first get your current connexion on Azure
$connection = Get-AzVirtualNetworkGatewayConnection -Name "Office" -ResourceGroupName "Internal"

# then create an IPSec policy whith the lifetime and DH Group you configured on Meraki
$ipsecpolicy = New-AzIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA1 `
-IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 `
-PfsGroup None -SALifeTimeSeconds 3600


# Apply policy to your connection
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -IpsecPolicies $ipsecpolicy -UsePolicyBasedTrafficSelectors $True

It is now working smoothly for a month and it solved a lot of our problems.

The only downside is that you have to use a VpnGw1 subscription on Azure VPN which cost more than base subscription but this is way less than a virtual MX.

If you have any other question let me know.

Have a nice day

PS There is a nice conversation about this : https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/49088#M12406

ReliantGuy · ‎Dec 3 2018

Now more than a Year.... Hate to be cynical, but is this just an artificial differentiation between ASA's and MX's. In place only to protect ASA market share? Or is there a technical reason?

Nyrenthia · ‎Feb 8 2019

Ben, I do not agree with you ...

______________________

Nyrenthia

ShowBox-apk

Ben · ‎Feb 14 2019

@Nyrenthia wrote:
Ben, I do not agree with you ...

______________________
Nyrenthia
ShowBox-apk

And that's your full right. I guess you don't have customers needing source nat or any of the missing features. 😃

Cheers,

Ben

PJ51182 · ‎May 5 2020

I take it there still hasn't been any update on when/if IKEv2 will be available?

cmr · ‎May 5 2020

It is in 15.x if you need it, new features are generally going into that release train

PJ51182 · ‎May 6 2020

Thank you for that. Any idea when this will be available?

cmr · ‎May 6 2020

@PJ51182 it is, use the 15.x release train. We have been running a 1500 user 9 site enterprise on MX15 since last summer. It has been stable with no major issues.

PJ51182 · ‎May 6 2020

@cmr 15.x (15.29) as I type this is still in Beta. The stable release is 14.40 and the stable release candidate is 14.50.

I wouldn't be using Beta releases in a live environment. My question is when 15.x firmware will be released as the stable release?

PJ51182 · ‎Sep 23 2020

Take it there STILL isn't a release date for a new stable release to include IKEv2 for Azure?

danielpugh · ‎Sep 23 2020

im using it already for our vpn to azure - you need to go to the beta firmware for the mx and it works

PJ51182 · ‎Sep 23 2020

Hi @danielpugh I know it's been available for some time if you use the beta release. When installing kit for a customer it's not best practice to be using beta versions. It's extremely frustrating that a very common requirement (VPN to Azure) still isn't a feature of a stable release.

Coors1234 · ‎Oct 28 2020

So, just to be clear here -- specifically for Azure customers -- the beta firmware right now does include IKEv2 but I was told by my Meraki rep that they still do not support Route Based VPNs, only Policy Based. Without support for Route Based VPNs we're limited to only 1 S2S tunnel in Azure so that's not really great either.

Not to piggy back on this feature request but, since they do kinda go hand in hand, is there any word on support for Route Based VPNs?

Bruce · ‎Oct 28 2020

You can do multiple S2S VPNs from Azure, the VPNs just have to be to different Meraki networks/sites. I'm not sure what you'd achieve with multiple S2S VPNs to the same site, unless you're looking at redundancy to different Azure regions? You can also achieve the HA configuration across regions with the vMX now, so that's an alternative. Have a look at these two documents.

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site_to_Site_VPN_tunnels_to_Azure_V...

https://documentation.meraki.com/MX/Other_Topics/Deploying_Highly_Available_vMX100s_in_Azure

Meraki

Community

Feature Request: IKEv2 Support in MX appliances

Feature Request: IKEv2 Support in MX appliances