cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Feature Request: IKEv2 Support in MX appliances

Conversationalist

Feature Request: IKEv2 Support in MX appliances

This feature request was created long ago on Meraki Users Group forum.

Are there any updates regarding this topic? In our case IKEv2 needed for VPN to Azure.

74 REPLIES 74
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!

Head in the Cloud

Re: Feature Request: IKEv2 Support in MX appliances

I'm also waiting for the IPSEC encryption type of NULL to be supported 😞

Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Hi Philip, I know this post is more than a year old, and while I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

vin

How did I get stuck doing this stuff?
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>... I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for >creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you >saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.

Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.


Indeed! Strongswan in this scenario is a replacement for the RRAS hosted solution Azure provides. The only downside is you're on your own for making StrongSwan highly available / redundant

 

We're in a spot where we'd gladly pay extra for the stability/simplicity that comes with the hosted solution versus us having to setup our own redundant strongswan VMs

 

I feel like its also unanimous by reading this thread that folks want the simpler implementation of IKEv2 on the MX line, instead of getting into the weeds of StrongSwan (or another appliance)

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>The only downside is you're on your own for making StrongSwan highly available / redundant

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).

 

You can filter on "VPN Gateway":

https://azure.microsoft.com/en-us/status/history/

Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).


We were hit by the same 9/4 outage in the Texas datacenter (IIRC, we too got a credit back too!)

 

All good things to consider, and yes, we have crazy up-time on servers as well so it wouldn't likely be a problem. We live in a 'SLA required' world. 

 

I couldnt agree more that StrongSwan is a good solution. Is it good for everyone? No. Could Meraki close the gap? Of course! 🙂

Ben
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

Although this feature is not available, we take our customer feedback seriously

Perhaps this person should get a look on this thread.. 

 

The same problem with sourcenat not beeing available on a 10.000$ - 20.000$ MX while a stupid Router of 100$ you can get in the supermarket does support this... 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!


Sorry Philip, I meant to quote the post I referenced above....

How did I get stuck doing this stuff?
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.

If you want to connect multiple S2S connections into Azure, this setup either requires a software termination (strongswan, etc, ugh) which then terminates multiple static routes from the Meraki, or another piece of hardware, like an on-premise Cisco 891 that supports dynamic routes using IKEv2.

Supporting IKEv2 dynamic routes to get a better OOB experience with multiple Meraki's + Azure would be ideal, since it would eliminate either 1) a virtual appliance thats needed to terminate static routes in Azure, or 2) additional on-premise hardware thats supports dynamic route-based vpns (specifically for folks with multiple s2s needs)

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@TimW wrote:

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.


Thanks Tim! As you can probably surmise from my signature, networking is not my forte, but alas here I am. I want to move our (small) office's network domain and Active Directory to Azure so I can retire the dinosaur currently running Windows Server 2008! Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

How did I get stuck doing this stuff?
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen wrote:

Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

A single s2s to Azure with employees coming into the Meraki will work just fine (prob some routes to configure in there, but nothing additional should be needed).

I like to think I encompass the 80%er's of Meraki's line up. We love them. This thread is quite literally the only gripe I have about the MX line up 🙂

Best of luck! Consider looking into the AD Connect tool for syncing up identities into Azure (we went though a similar migration a while back)

 

Ben
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

Still waiting for IKEv2..

 

Would be great as said in the MC topic that this community could also serve for features, questions, ...... towards Meraki. 

A bit the same as the "wishes" feature in the dashboard.

 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Yes please.. we've been waiting for this feature for past 2 years. 

Highlighted
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Would be nice to have a reply from vendor's side. I don't think that IKEv2 implementation on Meraki appliances is not technically possible.

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

I can't see that being true.

 

Take a Cisco ASA.  You can configure it to do a VPN using either/or of IKEv1 and IKEv2.  If you configure both then it tries to build the VPN using IKEv2 first and if that fails it tries IKEv1.

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I can't see them rushing to implement IKEv2 now that they have VMx100's in both AWS and Azure.
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

What a disappointment.. I really liked the concept of Meraki, but since it still is not using IKEv2 we need to find something else. I know we can create a policy based VPN on azure, but then we have the next pitfalls (or am I misunderstanding this?):

 

 


PolicyBased VPN Gateway

RouteBased VPN Gateway

Azure Gateway SKU

Basic

Basic, Standard, HighPerformance, VpnGw1, VpnGw2, VpnGw3

IKE version

IKEv1

IKEv2

Max. S2S connections

1

Basic/Standard: 10
HighPerformance: 30

 

So we want a route based vpn... 

 

Not nice Meraki!

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

If you need more than one site to site VPN then your best option is the vMX at this point in time.

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

If we can use it in stead of the MS Vnet Gateway and pricing is comparable, we can live with it, however, i can not find it in the Azure Portal. Also on the Meraki site there is not documentation (at least not that i can find) that explains about it for Azure, only for AWS...

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

This says it is available in October, so perhaps any day now ...

https://meraki.cisco.com/products/appliances/vmx100

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

This would be a great addition.  Any update?




 

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

It is available now. I have been given pricing for the license. 

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Still want IKEv2 Support for MX. VMX is not cost effective when only a few sites connecting to Azure has MXs while the many more sites using other firewall/VPN vendors which are IKEv2 compliant. 

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Such an irony that a Cisco company does not support IKEv2. 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Hi wey2go,

Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances


@NikolaiProniaev wrote:

Hi wey2go,

Thanks for posting this. Is it available to select in vMX interface? I just deleted my vMX PoC few days ago. Is there an official announcement?


Still no IKEv2 Support for vMX. vMX is probably a good option if all your sites are using MX wanting to connect to Azure or AWS and capitalising in the SD-WAN, Mesh VPN and ease of cloud management. 

 

Meraki should have IKEv2 Support for their MX. 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

I am meraki and I approve this feature request...

 

But really, please add this.

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

When can we see IKEv2 Support in MX?
New here

Re: Feature Request: IKEv2 Support in MX appliances

A date for IKEv2 support would be great.

Until then we can't use Meraki for Azure deployment of smaller customers.

New here

Re: Feature Request: IKEv2 Support in MX appliances

We had to run Cisco ASAv appliances in our Azure tenant in order to terminate the IKEv1 tunnels from the branch office MX firewalls.

 

Otherwise we would have terminated the tunnels on the Azure VPN gateway. 

 

Its really perplexing that IKEv2 isn't supported.


Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

I wrote an article a while ago about how to use a low cost StrongSwan instance in Azure for terminating Meraki VPNs.

http://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Alternative with StrongArm or anything else is not practical if not the whole organisation using Meraki. Imagine you have 20 sites, all other sites have IKEv2 capable VPN and you being the only one with Meraki, unable to connect via IKEv2 to Azure.

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

I agree. Please add it.

New here

Re: Feature Request: IKEv2 Support in MX appliances

As Meraki_L3 I can say this is a much needed feature.  Come on guys! @meraki

New here

Re: Feature Request: IKEv2 Support in MX appliances

I can't believe Meraki doesn't support IKEv2! We were looking at using Meraki's in a managed firewall service but cannot since they don't support IKEv2. Anything beyond basic VPN connectivity to Azure requires IKEv2. Is there any ETA on when this will be implemented? Meraki is a good fit for us and our clients if IKEv2 can be added.

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

Sadly, no ETA. No news. No roadmap on IKE V2 support.

 

Need to re-consider in recommending MX to all my clients since IKE V2 is not supported.

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

IKEv2 support is probably at the bottom of Meraki's to do list until more users create a stir on this. Please talk to you local Meraki rep and every Meraki channel you have to request for this feature.

 

Common @meraki

 

Ben
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

Guys any idea if IkeV2 is available yet? 

Cheers

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

Not available yet.

Ben
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

Called my sales rep and logged a ticket.

Curious on how they are going to respond at support.

 

Will keep this topic updated.

 

Cheers,

Ben

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Another vote for IKEv2 support
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Would love to see IKEv2 available on the Meraki's -- we have a need for this as well

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I am currently evaluating SD-WAN vendors. Meraki is my preferred vendor but to meet all the technical requirements I require the VPN parameters to comply with NCSC's foundation grade policy as a minimum.

 

I would like AutoVPN to support IKE-v2, Diffie Helman Group 14 and a desired would be certificate based authentication or stronger Pre-Shared Key

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

This is something our organization wants so we can utilize a client VPN application. Hopefully this is on the short term radar! 

New here

Re: Feature Request: IKEv2 Support in MX appliances

I am floored that Meraki MX's Auto VPN doesn't support IKEv2.

 

As of 6-6-2018, Azure put Meraki on their "incompatibility list" ... 

 

IKEv2 is better in everyway. It was invented over a decade ago.

 

I was getting ready to upgrade 102 of our offices with Meraki MX65W's until I realized there was no IKEv2 support. Now we'll have to use Calyptix or possibly Unifi.

Building a reputation

Re: Feature Request: IKEv2 Support in MX appliances

Wow, really? Meraki on Azure incompatibility list? Do you have a link for that?
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Ben
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

Perhaps we can all start submitting daily wishes into the dashboard "IkeV2"

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.