Feature Request: IKEv2 Support in MX appliances

NikolaiProniaev
Conversationalist

Feature Request: IKEv2 Support in MX appliances

This feature request was created long ago on Meraki Users Group forum.

Are there any updates regarding this topic? In our case IKEv2 needed for VPN to Azure.

84 REPLIES 84
PhilipDAth
Kind of a big deal

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!

I'm also waiting for the IPSEC encryption type of NULL to be supported 😞

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Hi Philip, I know this post is more than a year old, and while I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

vin

How did I get stuck doing this stuff?
PhilipDAth
Kind of a big deal

>... I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for >creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you >saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.


@PhilipDAth wrote:

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.


Indeed! Strongswan in this scenario is a replacement for the RRAS hosted solution Azure provides. The only downside is you're on your own for making StrongSwan highly available / redundant

 

We're in a spot where we'd gladly pay extra for the stability/simplicity that comes with the hosted solution versus us having to setup our own redundant strongswan VMs

 

I feel like its also unanimous by reading this thread that folks want the simpler implementation of IKEv2 on the MX line, instead of getting into the weeds of StrongSwan (or another appliance)

PhilipDAth
Kind of a big deal

>The only downside is you're on your own for making StrongSwan highly available / redundant

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).

 

You can filter on "VPN Gateway":

https://azure.microsoft.com/en-us/status/history/


@PhilipDAth wrote:

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).


We were hit by the same 9/4 outage in the Texas datacenter (IIRC, we too got a credit back too!)

 

All good things to consider, and yes, we have crazy up-time on servers as well so it wouldn't likely be a problem. We live in a 'SLA required' world. 

 

I couldnt agree more that StrongSwan is a good solution. Is it good for everyone? No. Could Meraki close the gap? Of course! 🙂

Ben
A model citizen

Although this feature is not available, we take our customer feedback seriously

Perhaps this person should get a look on this thread.. 

 

The same problem with sourcenat not beeing available on a 10.000$ - 20.000$ MX while a stupid Router of 100$ you can get in the supermarket does support this... 


@PhilipDAth wrote:

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!


Sorry Philip, I meant to quote the post I referenced above....

How did I get stuck doing this stuff?

@VinAllen

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.

If you want to connect multiple S2S connections into Azure, this setup either requires a software termination (strongswan, etc, ugh) which then terminates multiple static routes from the Meraki, or another piece of hardware, like an on-premise Cisco 891 that supports dynamic routes using IKEv2.

Supporting IKEv2 dynamic routes to get a better OOB experience with multiple Meraki's + Azure would be ideal, since it would eliminate either 1) a virtual appliance thats needed to terminate static routes in Azure, or 2) additional on-premise hardware thats supports dynamic route-based vpns (specifically for folks with multiple s2s needs)

VinAllen
Conversationalist


@TimW wrote:

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.


Thanks Tim! As you can probably surmise from my signature, networking is not my forte, but alas here I am. I want to move our (small) office's network domain and Active Directory to Azure so I can retire the dinosaur currently running Windows Server 2008! Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

How did I get stuck doing this stuff?

@VinAllen wrote:

Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

A single s2s to Azure with employees coming into the Meraki will work just fine (prob some routes to configure in there, but nothing additional should be needed).

I like to think I encompass the 80%er's of Meraki's line up. We love them. This thread is quite literally the only gripe I have about the MX line up 🙂

Best of luck! Consider looking into the AD Connect tool for syncing up identities into Azure (we went though a similar migration a while back)

 

Ben
A model citizen

Still waiting for IKEv2..

 

Would be great as said in the MC topic that this community could also serve for features, questions, ...... towards Meraki. 

A bit the same as the "wishes" feature in the dashboard.

 

VLAN999
Conversationalist

Yes please.. we've been waiting for this feature for past 2 years. 

NikolaiProniaev
Conversationalist

Would be nice to have a reply from vendor's side. I don't think that IKEv2 implementation on Meraki appliances is not technically possible.

I can't see that being true.

 

Take a Cisco ASA.  You can configure it to do a VPN using either/or of IKEv1 and IKEv2.  If you configure both then it tries to build the VPN using IKEv2 first and if that fails it tries IKEv1.

Shanec
Here to help

I can't see them rushing to implement IKEv2 now that they have VMx100's in both AWS and Azure.
Reinout
Conversationalist

What a disappointment.. I really liked the concept of Meraki, but since it still is not using IKEv2 we need to find something else. I know we can create a policy based VPN on azure, but then we have the next pitfalls (or am I misunderstanding this?):

 

 


PolicyBased VPN Gateway

RouteBased VPN Gateway

Azure Gateway SKU

Basic

Basic, Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3

IKE version

IKEv1

IKEv2

Max. S2S connections

1

Basic/Standard: 10
HighPerformance: 30

 

So we want a route based vpn... 

 

Not nice Meraki!

PhilipDAth
Kind of a big deal

If you need more than one site to site VPN then your best option is the vMX at this point in time.

If we can use it in stead of the MS Vnet Gateway and pricing is comparable, we can live with it, however, i can not find it in the Azure Portal. Also on the Meraki site there is not documentation (at least not that i can find) that explains about it for Azure, only for AWS...

PhilipDAth
Kind of a big deal

This says it is available in October, so perhaps any day now ...

https://meraki.cisco.com/products/appliances/vmx100

Meraki_Rocks
Here to help

This would be a great addition.  Any update?




 

It is available now. I have been given pricing for the license. 

wey2go
Getting noticed

Still want IKEv2 Support for MX. VMX is not cost effective when only a few sites connecting to Azure has MXs while the many more sites using other firewall/VPN vendors which are IKEv2 compliant. 

wey2go
Getting noticed

Such an irony that a Cisco company does not support IKEv2. 

Hi wey2go,

Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?


@NikolaiProniaev wrote:

Hi wey2go,

Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?


Still no IKEv2 Support for vMX. vMX is probably a good option if all your sites are using MX wanting to connect to Azure or AWS and capitalising in the SD-WAN, Mesh VPN and ease of cloud management. 

 

Meraki should have IKEv2 Support for their MX. 

meraki_
Conversationalist

I am meraki and I approve this feature request...

 

But really, please add this.

wey2go
Getting noticed

When can we see IKEv2 Support in MX?

A date for IKEv2 support would be great.

Until then we can't use Meraki for Azure deployment of smaller customers.

We had to run Cisco ASAv appliances in our Azure tenant in order to terminate the IKEv1 tunnels from the branch office MX firewalls.

 

Otherwise we would have terminated the tunnels on the Azure VPN gateway. 

 

Its really perplexing that IKEv2 isn't supported.


I wrote an article a while ago about how to use a low cost StrongSwan instance in Azure for terminating Meraki VPNs.

http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html

Alternative with StrongArm or anything else is not practical if not the whole organisation using Meraki. Imagine you have 20 sites, all other sites have IKEv2 capable VPN and you being the only one with Meraki, unable to connect via IKEv2 to Azure.

BogdanC
Conversationalist

I agree. Please add it.

meraki_L3
New here

As Meraki_L3 I can say this is a much needed feature.  Come on guys! @meraki_

abeckman
New here

I can't believe Meraki doesn't support IKEv2! We were looking at using Meraki's in a managed firewall service but cannot since they don't support IKEv2. Anything beyond basic VPN connectivity to Azure requires IKEv2. Is there any ETA on when this will be implemented? Meraki is a good fit for us and our clients if IKEv2 can be added.

Sadly, no ETA. No news. No roadmap on IKE V2 support.

 

Need to re-consider in recommending MX to all my clients since IKE V2 is not supported.

IKEv2 support is probably at the bottom of Meraki's to do list until more users create a stir on this. Please talk to you local Meraki rep and every Meraki channel you have to request for this feature.

 

Common @meraki_

 

Ben
A model citizen

Guys any idea if IkeV2 is available yet? 

Cheers

PhilipDAth
Kind of a big deal

Not available yet.

Ben
A model citizen

Called my sales rep and logged a ticket.

Curious on how they are going to respond at support.

 

Will keep this topic updated.

 

Cheers,

Ben

ClaytonMeyer
Here to help

Another vote for IKEv2 support
TimW
Here to help

Would love to see IKEv2 available on the Meraki's -- we have a need for this as well

fraya
Here to help

I am currently evaluating SD-WAN vendors. Meraki is my preferred vendor but to meet all the technical requirements I require the VPN parameters to comply with NCSC's foundation grade policy as a minimum.

 

I would like AutoVPN to support IKE-v2, Diffie Helman Group 14 and a desired would be certificate based authentication or stronger Pre-Shared Key

grimm_j
Conversationalist

This is something our organization wants so we can utilize a client VPN application. Hopefully this is on the short term radar! 

chemdream
New here

I am floored that Meraki MX's Auto VPN doesn't support IKEv2.

 

As of 6-6-2018, Azure put Meraki on their "incompatibility list" ... 

 

IKEv2 is better in everyway. It was invented over a decade ago.

 

I was getting ready to upgrade 102 of our offices with Meraki MX65W's until I realized there was no IKEv2 support. Now we'll have to use Calyptix or possibly Unifi.

Wow, really? Meraki on Azure incompatibility list? Do you have a link for that?
meraki_
Conversationalist
Ben
A model citizen

Perhaps we can all start submitting daily wishes into the dashboard "IkeV2"

JDA
New here

Seems the guys at Meraki have been silent on this.

 

For the price of the license and hardware you would expect it to support IKEv2.

 

Is there any update on this at all?

wey2go
Getting noticed

This silence is killing my sales leads for those when they need VPN to Azure. These are multi-sites where we are not able to change anything on the Azure side.

 

For azure, Meraki is pushing their azure virtual appliance for VPN.

https://meraki.cisco.com/products/appliances/vmx100

 

It's frustrating because many people just want to use Azure's built in VPN...

So... we currently have (or had I should say) two site-to-site connections between our offices and Azure. Both locations use an MX84, and the site-to-site connections in Azure are configured as policy based, however one office does have a working connection and one office doesn't. I've already checked every single setting on both sides and it will not work, regardless of what we do. The most frustrating part is, this was configured over 1,5 years ago and worked fine all that time until a week ago!

 

Opening a case led to nothing but even more frustration, since all they're basically saying is: the connection with Azure is not supported by us, unless you use the vMX100 appliance, that means they are saying to just throw more money at the problem instead of actually fixing it!

 

This entire problem wouldn't even exist if IKEv2 was supported already! Yet now with the vMX100 being launched in Azure their incentive to start supporting IKEv2 just became even less, because they have just created a means to screw even more money out of already paying customers.

 

The worst thing is, I've recently signed a new lease for a bunch of new hardware replacing the old hardware we had... Noted that the hardware we used was also Meraki hardware and up to a week ago everything with Azure worked fine! (I.e. also with the new hardware the situation was working as we expected) Now suddenly everything has changed.

 

I'm going to explore my options to nullify or dissolve my lease contract, because regardless of what option I choose, I will have to pay more than I already do to get a working site-to-site connection to Azure and if that is the case then I'd rather have hardware that doesn't limit me in my options and supports things that should be supported by a long time already.

 

Sorry for my rant guys, but I'm done with Meraki.

PhilipDAth
Kind of a big deal

You just sparked a memory for me.

 

About 2 weeks ago I had a customer suffer an outage between their Azure regions.  Azure had a VNET outage, and it broke the Azure VPN gateway service. The outage showed up in their Azure console.  They had to raise a ticket with Microsoft to get it fixed.

 

Have you tried raising a ticket with Azure Support?

I have but it hasn't solved anything other than the following response:

 

Our about azure VPN page now lists Cisco meraki’s as “Not compatible”,
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

 

And so does Cisco's page:
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_P...

 

However please note the following as possible workarounds for this.

 

1.The Meraki VPN device cannot set a lifetime value in KB for Phase 2.
2.The drawback here is that policy-based tunnels require a one-to-one match against our lifetime values (both in seconds and KB) on both sides of the IPSec tunnel.
3.Based on mine and my team experience, working with Meraki devices located on-premise, tunnel sometimes connects fine and sometimes it goes down.
4.After working with different customer’s environment and running network captures, we identified the problem is when the Azure Gateway acts as initiator, we send the proposals and the Meraki device will be failing with policy match error.
5.Most of the customers try to setup the Quick Mode Security Association Life Time lower than 3600 so that they ensure the Meraki is always the initiator and the Azure Gateway is really flexible with this and will ignore the device didn’t send the LF in KB.
6.Currently, we don’t have an option from our side to edit the IKE/IPsec parameters.
7.Azure Gateway uses the IKE/IPsec values by default and cannot be changed.


As a workaround for connecting to a Cisco Meraki we offer a Virtual appliance.

 

I tried this proposed workaround, but sadly the tunnel still wouldn't come up, nor would a Meraki engineer support this idea. So in the end we've decided to let this site-to-site idea go and go explore the option of working with a virtual machine that runs something like pfSense or RouterOS to set up IKEv1 site-to-site connections and route them to the appropriate subnet.

danielpugh
Here to help

just adding my +1 to this feature request

Ben
A model citizen

perhaps we should start adding wishes in the dashboard.. 😃 

Sourcenat is also a very very very hard missed feature.. not sure if i'm the only one who needs it?

 

 

PhilipDAth
Kind of a big deal

You would have more luck wishing for pizza (ps - actually give this a try).

Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?

i raised a support ticket for our mx84

the answer was ... (show below) - in short nothing in the short term but we can "make a wish" (puts note in bottle and throws into the sea)..;-)

 

"Unfortunately, we do not have an ETA on when we start supporting IKEv2.



Although this feature is not available, we take our customer feedback seriously. We encourage you to use the Meraki dashboard to "make a wish" and submit a feature request. You can submit a feature request at the bottom of any dashboard page. Any wish that is made sends an email to our Product Managers and Development Teams. These wishes are taken into consideration and are used to help shape our product roadmaps. The most wished-for items are incorporated into product development. "

PhilipDAth
Kind of a big deal

>Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?

 

Meraki never provide dates for un-released features.

So ... Make a wish added .... we keep being notified to just 'make a wish' in Meraki to get the IKEv2 added so you can also use the AnyConnect client. We do have Meraki, BUT we are tired of seeing Windows security or network updates breaking the stupid Windows VPN client you have to use to connect in since "Microsoft" knows better than anyone else how your OWN VPN connection is configured ..... right, not!?!?! You can supposedly use AnyConnect IF, again, IF you are using the licensed Systems Manager .... and that's ONLY if you pay for that extra, and supposedly, but not natively using the AnyConnect client separately.



T Roberts
A+, Network+, MCP, Dell and CMNO

Request still alive.  IKEv2 for Always on VPN would be nice..

I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature. You have to contact Meraki Support to enable. I've tried that twice and both times the Support person had no idea what I was talking about.


@ClaytonMeyer wrote:

I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature.


Correct me if I'm wrong, but doesn't the "S" in "Meraki SE" stand for Sales?

 

Just sayin'.

How did I get stuck doing this stuff?

I believe se = "systems engineer", although it's a partner qualification related to assisting AM (account manager).

See: https://meraki.cisco.com/blog/2019/04/recap-meraki-quarterly-april-2019/

 

We also announced during the Quarterly that public betas are now available for an integration between the MX and Cisco Umbrella (similar to the just-launched MR/Umbrella integration) and for IKEv2. The latter includes support for route-based VPNs and stronger encryption algorithms for non-Meraki VPNs. To enable these betas, get in contact with Meraki Support.

 

So, it is available on Beta now!!!! Anybody testing it?

Signix
Conversationalist

I just contacted the Meraki support.

I was asked to upgrade my firmware to beta and call them back to enable IKEv2.

Update is schedule for this evening. I will tell you how it worked.

I appreciate it!  I'm a bit hesitant about it not being a general release, but we'll see how it goes for you!

@Signix  any update on this?

Sorry. Everything went well. After updating the firmware I have access to IKE v2 parameters.merakiPhase2.png

 

I had to configure my Azure VPN with powershell :

 

 

# first get your current connexion on Azure
$connection = Get-AzVirtualNetworkGatewayConnection -Name "Office" -ResourceGroupName "Internal"

# then create an IPSec policy whith the lifetime and DH Group you configured on Meraki
$ipsecpolicy = New-AzIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA1 `
-IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 `
-PfsGroup None -SALifeTimeSeconds 3600


# Apply policy to your connection
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -IpsecPolicies $ipsecpolicy -UsePolicyBasedTrafficSelectors $True

 

 

It is now working smoothly for a month and it solved a lot of our problems.

The only downside is that you have to use a VpnGw1 subscription on Azure VPN which cost more than base subscription but this is way less than a virtual MX.

 

If you have any other question let me know.

Have a nice day

PS There is a nice conversation about this : https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/49088#M12406

ReliantGuy
Conversationalist

Now more than a Year.... Hate to be cynical, but is this just an artificial differentiation between ASA's and MX's.  In place only to protect ASA market share?  Or is there a technical reason?

Ben, I do not agree with you ...

 

 

______________________

Nyrenthia

ShowBox-apk

Ben
A model citizen