cancel
Showing results for 
Search instead for 
Did you mean: 

Feature Request: IKEv2 Support in MX appliances

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

i raised a support ticket for our mx84

the answer was ... (show below) - in short nothing in the short term but we can "make a wish" (puts note in bottle and throws into the sea)..;-)

 

"Unfortunately, we do not have an ETA on when we start supporting IKEv2.



Although this feature is not available, we take our customer feedback seriously. We encourage you to use the Meraki dashboard to "make a wish" and submit a feature request. You can submit a feature request at the bottom of any dashboard page. Any wish that is made sends an email to our Product Managers and Development Teams. These wishes are taken into consideration and are used to help shape our product roadmaps. The most wished-for items are incorporated into product development. "

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?

 

Meraki never provide dates for un-released features.

New here

Re: Feature Request: IKEv2 Support in MX appliances

Hi Philip, I know this post is more than a year old, and while I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

vin

How did I get stuck doing this stuff?
New here

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!


Sorry Philip, I meant to quote the post I referenced above....

How did I get stuck doing this stuff?
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.

If you want to connect multiple S2S connections into Azure, this setup either requires a software termination (strongswan, etc, ugh) which then terminates multiple static routes from the Meraki, or another piece of hardware, like an on-premise Cisco 891 that supports dynamic routes using IKEv2.

Supporting IKEv2 dynamic routes to get a better OOB experience with multiple Meraki's + Azure would be ideal, since it would eliminate either 1) a virtual appliance thats needed to terminate static routes in Azure, or 2) additional on-premise hardware thats supports dynamic route-based vpns (specifically for folks with multiple s2s needs)

New here

Re: Feature Request: IKEv2 Support in MX appliances


@TimW wrote:

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.


Thanks Tim! As you can probably surmise from my signature, networking is not my forte, but alas here I am. I want to move our (small) office's network domain and Active Directory to Azure so I can retire the dinosaur currently running Windows Server 2008! Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

How did I get stuck doing this stuff?
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen wrote:

Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

A single s2s to Azure with employees coming into the Meraki will work just fine (prob some routes to configure in there, but nothing additional should be needed).

I like to think I encompass the 80%er's of Meraki's line up. We love them. This thread is quite literally the only gripe I have about the MX line up Smiley Happy

Best of luck! Consider looking into the AD Connect tool for syncing up identities into Azure (we went though a similar migration a while back)

 

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>... I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for >creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you >saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.

Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.


Indeed! Strongswan in this scenario is a replacement for the RRAS hosted solution Azure provides. The only downside is you're on your own for making StrongSwan highly available / redundant

 

We're in a spot where we'd gladly pay extra for the stability/simplicity that comes with the hosted solution versus us having to setup our own redundant strongswan VMs

 

I feel like its also unanimous by reading this thread that folks want the simpler implementation of IKEv2 on the MX line, instead of getting into the weeds of StrongSwan (or another appliance)

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>The only downside is you're on your own for making StrongSwan highly available / redundant

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).

 

You can filter on "VPN Gateway":

https://azure.microsoft.com/en-us/status/history/

Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).


We were hit by the same 9/4 outage in the Texas datacenter (IIRC, we too got a credit back too!)

 

All good things to consider, and yes, we have crazy up-time on servers as well so it wouldn't likely be a problem. We live in a 'SLA required' world. 

 

I couldnt agree more that StrongSwan is a good solution. Is it good for everyone? No. Could Meraki close the gap? Of course! Smiley Happy

Ben
Building a reputation

Re: Feature Request: IKEv2 Support in MX appliances

Although this feature is not available, we take our customer feedback seriously

Perhaps this person should get a look on this thread.. 

 

The same problem with sourcenat not beeing available on a 10.000$ - 20.000$ MX while a stupid Router of 100$ you can get in the supermarket does support this... 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Now more than a Year.... Hate to be cynical, but is this just an artificial differentiation between ASA's and MX's.  In place only to protect ASA market share?  Or is there a technical reason?