cancel
Showing results for 
Search instead for 
Did you mean: 

Feature Request: IKEv2 Support in MX appliances

Highlighted
Conversationalist

Feature Request: IKEv2 Support in MX appliances

This feature request was created long ago on Meraki Users Group forum.

Are there any updates regarding this topic? In our case IKEv2 needed for VPN to Azure.

Tags (1)
61 REPLIES
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!

Head in the Cloud

Re: Feature Request: IKEv2 Support in MX appliances

I'm also waiting for the IPSEC encryption type of NULL to be supported Smiley Sad

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Ben
Building a reputation

Re: Feature Request: IKEv2 Support in MX appliances

Still waiting for IKEv2..

 

Would be great as said in the MC topic that this community could also serve for features, questions, ...... towards Meraki. 

A bit the same as the "wishes" feature in the dashboard.

 

Comes here often

Re: Feature Request: IKEv2 Support in MX appliances

Yes please.. we've been waiting for this feature for past 2 years. 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Would be nice to have a reply from vendor's side. I don't think that IKEv2 implementation on Meraki appliances is not technically possible.

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

I can't see that being true.

 

Take a Cisco ASA.  You can configure it to do a VPN using either/or of IKEv1 and IKEv2.  If you configure both then it tries to build the VPN using IKEv2 first and if that fails it tries IKEv1.

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I can't see them rushing to implement IKEv2 now that they have VMx100's in both AWS and Azure.
Comes here often

Re: Feature Request: IKEv2 Support in MX appliances

What a disappointment.. I really liked the concept of Meraki, but since it still is not using IKEv2 we need to find something else. I know we can create a policy based VPN on azure, but then we have the next pitfalls (or am I misunderstanding this?):

 

 


PolicyBased VPN Gateway

RouteBased VPN Gateway

Azure Gateway SKU

Basic

Basic, Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3

IKE version

IKEv1

IKEv2

Max. S2S connections

1

Basic/Standard: 10
HighPerformance: 30

 

So we want a route based vpn... 

 

Not nice Meraki!

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

If you need more than one site to site VPN then your best option is the vMX at this point in time.

Comes here often

Re: Feature Request: IKEv2 Support in MX appliances

If we can use it in stead of the MS Vnet Gateway and pricing is comparable, we can live with it, however, i can not find it in the Azure Portal. Also on the Meraki site there is not documentation (at least not that i can find) that explains about it for Azure, only for AWS...

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

This says it is available in October, so perhaps any day now ...

https://meraki.cisco.com/products/appliances/vmx100

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

This would be a great addition.  Any update?




 

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

It is available now. I have been given pricing for the license. 

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Still want IKEv2 Support for MX. VMX is not cost effective when only a few sites connecting to Azure has MXs while the many more sites using other firewall/VPN vendors which are IKEv2 compliant. 

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Such an irony that a Cisco company does not support IKEv2. 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Hi wey2go,

Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances


@NikolaiProniaev wrote:

Hi wey2go,

Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?


Still no IKEv2 Support for vMX. vMX is probably a good option if all your sites are using MX wanting to connect to Azure or AWS and capitalising in the SD-WAN, Mesh VPN and ease of cloud management. 

 

Meraki should have IKEv2 Support for their MX. 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

I am meraki and I approve this feature request...

 

But really, please add this.

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

When can we see IKEv2 Support in MX?
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

I agree. Please add it.

New here

Re: Feature Request: IKEv2 Support in MX appliances

A date for IKEv2 support would be great.

Until then we can't use Meraki for Azure deployment of smaller customers.

New here

Re: Feature Request: IKEv2 Support in MX appliances

We had to run Cisco ASAv appliances in our Azure tenant in order to terminate the IKEv1 tunnels from the branch office MX firewalls.

 

Otherwise we would have terminated the tunnels on the Azure VPN gateway. 

 

Its really perplexing that IKEv2 isn't supported.


Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

I wrote an article a while ago about how to use a low cost StrongSwan instance in Azure for terminating Meraki VPNs.

http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html

New here

Re: Feature Request: IKEv2 Support in MX appliances

As Meraki_L3 I can say this is a much needed feature.  Come on guys! @meraki

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Alternative with StrongArm or anything else is not practical if not the whole organisation using Meraki. Imagine you have 20 sites, all other sites have IKEv2 capable VPN and you being the only one with Meraki, unable to connect via IKEv2 to Azure.

New here

Re: Feature Request: IKEv2 Support in MX appliances

I can't believe Meraki doesn't support IKEv2! We were looking at using Meraki's in a managed firewall service but cannot since they don't support IKEv2. Anything beyond basic VPN connectivity to Azure requires IKEv2. Is there any ETA on when this will be implemented? Meraki is a good fit for us and our clients if IKEv2 can be added.

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Sadly, no ETA. No news. No roadmap on IKE V2 support.

 

Need to re-consider in recommending MX to all my clients since IKE V2 is not supported.

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

IKEv2 support is probably at the bottom of Meraki's to do list until more users create a stir on this. Please talk to you local Meraki rep and every Meraki channel you have to request for this feature.

 

Common @meraki

 

Ben
Building a reputation

Re: Feature Request: IKEv2 Support in MX appliances

Guys any idea if IkeV2 is available yet? 

Cheers

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

Not available yet.

Ben
Building a reputation

Re: Feature Request: IKEv2 Support in MX appliances

Called my sales rep and logged a ticket.

Curious on how they are going to respond at support.

 

Will keep this topic updated.

 

Cheers,

Ben

Tags (1)
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Another vote for IKEv2 support
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Would love to see IKEv2 available on the Meraki's -- we have a need for this as well

Just browsing

Re: Feature Request: IKEv2 Support in MX appliances

I am currently evaluating SD-WAN vendors. Meraki is my preferred vendor but to meet all the technical requirements I require the VPN parameters to comply with NCSC's foundation grade policy as a minimum.

 

I would like AutoVPN to support IKE-v2, Diffie Helman Group 14 and a desired would be certificate based authentication or stronger Pre-Shared Key

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

This is something our organization wants so we can utilize a client VPN application. Hopefully this is on the short term radar! 

New here

Re: Feature Request: IKEv2 Support in MX appliances

I am floored that Meraki MX's Auto VPN doesn't support IKEv2.

 

As of 6-6-2018, Azure put Meraki on their "incompatibility list" ... 

 

IKEv2 is better in everyway. It was invented over a decade ago.

 

I was getting ready to upgrade 102 of our offices with Meraki MX65W's until I realized there was no IKEv2 support. Now we'll have to use Calyptix or possibly Unifi.

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Wow, really? Meraki on Azure incompatibility list? Do you have a link for that?
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Ben
Building a reputation

Re: Feature Request: IKEv2 Support in MX appliances

Perhaps we can all start submitting daily wishes into the dashboard "IkeV2"

JDA
New here

Re: Feature Request: IKEv2 Support in MX appliances

Seems the guys at Meraki have been silent on this.

 

For the price of the license and hardware you would expect it to support IKEv2.

 

Is there any update on this at all?

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

This silence is killing my sales leads for those when they need VPN to Azure. These are multi-sites where we are not able to change anything on the Azure side.

 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

For azure, Meraki is pushing their azure virtual appliance for VPN.

https://meraki.cisco.com/products/appliances/vmx100

 

It's frustrating because many people just want to use Azure's built in VPN...

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

So... we currently have (or had I should say) two site-to-site connections between our offices and Azure. Both locations use an MX84, and the site-to-site connections in Azure are configured as policy based, however one office does have a working connection and one office doesn't. I've already checked every single setting on both sides and it will not work, regardless of what we do. The most frustrating part is, this was configured over 1,5 years ago and worked fine all that time until a week ago!

 

Opening a case led to nothing but even more frustration, since all they're basically saying is: the connection with Azure is not supported by us, unless you use the vMX100 appliance, that means they are saying to just throw more money at the problem instead of actually fixing it!

 

This entire problem wouldn't even exist if IKEv2 was supported already! Yet now with the vMX100 being launched in Azure their incentive to start supporting IKEv2 just became even less, because they have just created a means to screw even more money out of already paying customers.

 

The worst thing is, I've recently signed a new lease for a bunch of new hardware replacing the old hardware we had... Noted that the hardware we used was also Meraki hardware and up to a week ago everything with Azure worked fine! (I.e. also with the new hardware the situation was working as we expected) Now suddenly everything has changed.

 

I'm going to explore my options to nullify or dissolve my lease contract, because regardless of what option I choose, I will have to pay more than I already do to get a working site-to-site connection to Azure and if that is the case then I'd rather have hardware that doesn't limit me in my options and supports things that should be supported by a long time already.

 

Sorry for my rant guys, but I'm done with Meraki.

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

You just sparked a memory for me.

 

About 2 weeks ago I had a customer suffer an outage between their Azure regions.  Azure had a VNET outage, and it broke the Azure VPN gateway service. The outage showed up in their Azure console.  They had to raise a ticket with Microsoft to get it fixed.

 

Have you tried raising a ticket with Azure Support?

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I have but it hasn't solved anything other than the following response:

 

Our about azure VPN page now lists Cisco meraki’s as “Not compatible”,
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices

 

And so does Cisco's page:
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_P...

 

However please note the following as possible workarounds for this.

 

1.The Meraki VPN device cannot set a lifetime value in KB for Phase 2.
2.The drawback here is that policy-based tunnels require a one-to-one match against our lifetime values (both in seconds and KB) on both sides of the IPSec tunnel.
3.Based on mine and my team experience, working with Meraki devices located on-premise, tunnel sometimes connects fine and sometimes it goes down.
4.After working with different customer’s environment and running network captures, we identified the problem is when the Azure Gateway acts as initiator, we send the proposals and the Meraki device will be failing with policy match error.
5.Most of the customers try to setup the Quick Mode Security Association Life Time lower than 3600 so that they ensure the Meraki is always the initiator and the Azure Gateway is really flexible with this and will ignore the device didn’t send the LF in KB.
6.Currently, we don’t have an option from our side to edit the IKE/IPsec parameters.
7.Azure Gateway uses the IKE/IPsec values by default and cannot be changed.


As a workaround for connecting to a Cisco Meraki we offer a Virtual appliance.

 

I tried this proposed workaround, but sadly the tunnel still wouldn't come up, nor would a Meraki engineer support this idea. So in the end we've decided to let this site-to-site idea go and go explore the option of working with a virtual machine that runs something like pfSense or RouterOS to set up IKEv1 site-to-site connections and route them to the appropriate subnet.

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

just adding my +1 to this feature request

Ben
Building a reputation

Re: Feature Request: IKEv2 Support in MX appliances

perhaps we should start adding wishes in the dashboard.. =) 

Sourcenat is also a very very very hard missed feature.. not sure if i'm the only one who needs it?

 

 

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

You would have more luck wishing for pizza (ps - actually give this a try).

Just browsing

Re: Feature Request: IKEv2 Support in MX appliances

Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?