cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Feature Request: IKEv2 Support in MX appliances

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

i raised a support ticket for our mx84

the answer was ... (show below) - in short nothing in the short term but we can "make a wish" (puts note in bottle and throws into the sea)..;-)

 

"Unfortunately, we do not have an ETA on when we start supporting IKEv2.



Although this feature is not available, we take our customer feedback seriously. We encourage you to use the Meraki dashboard to "make a wish" and submit a feature request. You can submit a feature request at the bottom of any dashboard page. Any wish that is made sends an email to our Product Managers and Development Teams. These wishes are taken into consideration and are used to help shape our product roadmaps. The most wished-for items are incorporated into product development. "

Highlighted
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?

 

Meraki never provide dates for un-released features.

Highlighted
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Hi Philip, I know this post is more than a year old, and while I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

vin

How did I get stuck doing this stuff?
Highlighted
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!


Sorry Philip, I meant to quote the post I referenced above....

How did I get stuck doing this stuff?
Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.

If you want to connect multiple S2S connections into Azure, this setup either requires a software termination (strongswan, etc, ugh) which then terminates multiple static routes from the Meraki, or another piece of hardware, like an on-premise Cisco 891 that supports dynamic routes using IKEv2.

Supporting IKEv2 dynamic routes to get a better OOB experience with multiple Meraki's + Azure would be ideal, since it would eliminate either 1) a virtual appliance thats needed to terminate static routes in Azure, or 2) additional on-premise hardware thats supports dynamic route-based vpns (specifically for folks with multiple s2s needs)

Highlighted
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@TimW wrote:

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.


Thanks Tim! As you can probably surmise from my signature, networking is not my forte, but alas here I am. I want to move our (small) office's network domain and Active Directory to Azure so I can retire the dinosaur currently running Windows Server 2008! Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

How did I get stuck doing this stuff?
Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen wrote:

Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

A single s2s to Azure with employees coming into the Meraki will work just fine (prob some routes to configure in there, but nothing additional should be needed).

I like to think I encompass the 80%er's of Meraki's line up. We love them. This thread is quite literally the only gripe I have about the MX line up 🙂

Best of luck! Consider looking into the AD Connect tool for syncing up identities into Azure (we went though a similar migration a while back)

 

Highlighted
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>... I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for >creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you >saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.


Indeed! Strongswan in this scenario is a replacement for the RRAS hosted solution Azure provides. The only downside is you're on your own for making StrongSwan highly available / redundant

 

We're in a spot where we'd gladly pay extra for the stability/simplicity that comes with the hosted solution versus us having to setup our own redundant strongswan VMs

 

I feel like its also unanimous by reading this thread that folks want the simpler implementation of IKEv2 on the MX line, instead of getting into the weeds of StrongSwan (or another appliance)

Highlighted
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>The only downside is you're on your own for making StrongSwan highly available / redundant

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).

 

You can filter on "VPN Gateway":

https://azure.microsoft.com/en-us/status/history/

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).


We were hit by the same 9/4 outage in the Texas datacenter (IIRC, we too got a credit back too!)

 

All good things to consider, and yes, we have crazy up-time on servers as well so it wouldn't likely be a problem. We live in a 'SLA required' world. 

 

I couldnt agree more that StrongSwan is a good solution. Is it good for everyone? No. Could Meraki close the gap? Of course! 🙂

Highlighted
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

Although this feature is not available, we take our customer feedback seriously

Perhaps this person should get a look on this thread.. 

 

The same problem with sourcenat not beeing available on a 10.000$ - 20.000$ MX while a stupid Router of 100$ you can get in the supermarket does support this... 

Highlighted
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Now more than a Year.... Hate to be cynical, but is this just an artificial differentiation between ASA's and MX's.  In place only to protect ASA market share?  Or is there a technical reason?

Highlighted
New here

Re: Feature Request: IKEv2 Support in MX appliances

Ben, I do not agree with you ...

 

 

______________________

Nyrenthia

ShowBox-apk

Highlighted
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances


@Nyrenthia wrote:

Ben, I do not agree with you ...

 

 

______________________

Nyrenthia

ShowBox-apk


 

And that's your full right. I guess you don't have customers needing source nat or any of the missing features. 😃 

 

Cheers,

Ben

Highlighted
Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

So ... Make a wish added .... we keep being notified to just 'make a wish' in Meraki to get the IKEv2 added so you can also use the AnyConnect client. We do have Meraki, BUT we are tired of seeing Windows security or network updates breaking the stupid Windows VPN client you have to use to connect in since "Microsoft" knows better than anyone else how your OWN VPN connection is configured ..... right, not!?!?! You can supposedly use AnyConnect IF, again, IF you are using the licensed Systems Manager .... and that's ONLY if you pay for that extra, and supposedly, but not natively using the AnyConnect client separately.



T Roberts
A+, Network+, MCP, Dell and CMNO
Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Request still alive.  IKEv2 for Always on VPN would be nice..

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature. You have to contact Meraki Support to enable. I've tried that twice and both times the Support person had no idea what I was talking about.

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@ClaytonMeyer wrote:

I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature.


Correct me if I'm wrong, but doesn't the "S" in "Meraki SE" stand for Sales?

 

Just sayin'.

How did I get stuck doing this stuff?
Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I believe se = "systems engineer", although it's a partner qualification related to assisting AM (account manager).

Highlighted
Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

See: https://meraki.cisco.com/blog/2019/04/recap-meraki-quarterly-april-2019/

 

We also announced during the Quarterly that public betas are now available for an integration between the MX and Cisco Umbrella (similar to the just-launched MR/Umbrella integration) and for IKEv2. The latter includes support for route-based VPNs and stronger encryption algorithms for non-Meraki VPNs. To enable these betas, get in contact with Meraki Support.

 

So, it is available on Beta now!!!! Anybody testing it?

Highlighted
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

I just contacted the Meraki support.

I was asked to upgrade my firmware to beta and call them back to enable IKEv2.

Update is schedule for this evening. I will tell you how it worked.

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I appreciate it!  I'm a bit hesitant about it not being a general release, but we'll see how it goes for you!

Highlighted
Just browsing

Re: Feature Request: IKEv2 Support in MX appliances

@Signix  any update on this?

Highlighted
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Sorry. Everything went well. After updating the firmware I have access to IKE v2 parameters.merakiPhase2.png

 

I had to configure my Azure VPN with powershell :

 

 

# first get your current connexion on Azure
$connection = Get-AzVirtualNetworkGatewayConnection -Name "Office" -ResourceGroupName "Internal"

# then create an IPSec policy whith the lifetime and DH Group you configured on Meraki
$ipsecpolicy = New-AzIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA1 `
-IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 `
-PfsGroup None -SALifeTimeSeconds 3600


# Apply policy to your connection
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -IpsecPolicies $ipsecpolicy -UsePolicyBasedTrafficSelectors $True

 

 

It is now working smoothly for a month and it solved a lot of our problems.

The only downside is that you have to use a VpnGw1 subscription on Azure VPN which cost more than base subscription but this is way less than a virtual MX.

 

If you have any other question let me know.

Have a nice day

PS There is a nice conversation about this : https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/49088#M12406

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I take it there still hasn't been any update on when/if IKEv2 will be available? 

Highlighted
Kind of a big deal
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

It is in 15.x if you need it, new features are generally going into that release train 

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Thank you for that.  Any idea when this will be available?

Highlighted
Kind of a big deal
Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

@PJ51182 it is, use the 15.x release train.  We have been running a 1500 user 9 site enterprise on MX15 since last summer.  It has been stable with no major issues.

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@cmr 15.x (15.29) as I type this is still in Beta.  The stable release is 14.40 and the stable release candidate is 14.50.

 

I wouldn't be using Beta releases in a live environment.  My question is when 15.x firmware will be released as the stable release?

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Take it there STILL isn't a release date for a new stable release to include IKEv2 for Azure?

 

 

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

im using it already for our vpn to azure - you need to go to the beta firmware for the mx and it works

Highlighted
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Hi @danielpugh I know it's been available for some time if you use the beta release.  When installing kit for a customer it's not best practice to be using beta versions.  It's extremely frustrating that a very common requirement (VPN to Azure) still isn't a feature of a stable release. 

Highlighted
New here

Re: Feature Request: IKEv2 Support in MX appliances

So, just to be clear here -- specifically for Azure customers -- the beta firmware right now does include IKEv2 but I was told by my Meraki rep that they still do not support Route Based VPNs, only Policy Based. Without support for Route Based VPNs we're limited to only 1 S2S tunnel in Azure so that's not really great either. 

 

Not to piggy back on this feature request but, since they do kinda go hand in hand, is there any word on support for Route Based VPNs?

Highlighted
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

You can do multiple S2S VPNs from Azure, the VPNs just have to be to different Meraki networks/sites. I'm not sure what you'd achieve with multiple S2S VPNs to the same site, unless you're looking at redundancy to different Azure regions? You can also achieve the HA configuration across regions with the vMX now, so that's an alternative. Have a look at these two documents.

 

https://documentation.meraki.com/MX/Site-to-site_VPN/Configuring_Site_to_Site_VPN_tunnels_to_Azure_V...

 

https://documentation.meraki.com/MX/Other_Topics/Deploying_Highly_Available_vMX100s_in_Azure

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.