Seems the guys at Meraki have been silent on this.
For the price of the license and hardware you would expect it to support IKEv2.
Is there any update on this at all?
This silence is killing my sales leads for those when they need VPN to Azure. These are multi-sites where we are not able to change anything on the Azure side.
For azure, Meraki is pushing their azure virtual appliance for VPN.
It's frustrating because many people just want to use Azure's built in VPN...
So... we currently have (or had I should say) two site-to-site connections between our offices and Azure. Both locations use an MX84, and the site-to-site connections in Azure are configured as policy based, however one office does have a working connection and one office doesn't. I've already checked every single setting on both sides and it will not work, regardless of what we do. The most frustrating part is, this was configured over 1,5 years ago and worked fine all that time until a week ago!
Opening a case led to nothing but even more frustration, since all they're basically saying is: the connection with Azure is not supported by us, unless you use the vMX100 appliance, that means they are saying to just throw more money at the problem instead of actually fixing it!
This entire problem wouldn't even exist if IKEv2 was supported already! Yet now with the vMX100 being launched in Azure their incentive to start supporting IKEv2 just became even less, because they have just created a means to screw even more money out of already paying customers.
The worst thing is, I've recently signed a new lease for a bunch of new hardware replacing the old hardware we had... Noted that the hardware we used was also Meraki hardware and up to a week ago everything with Azure worked fine! (I.e. also with the new hardware the situation was working as we expected) Now suddenly everything has changed.
I'm going to explore my options to nullify or dissolve my lease contract, because regardless of what option I choose, I will have to pay more than I already do to get a working site-to-site connection to Azure and if that is the case then I'd rather have hardware that doesn't limit me in my options and supports things that should be supported by a long time already.
Sorry for my rant guys, but I'm done with Meraki.
You just sparked a memory for me.
About 2 weeks ago I had a customer suffer an outage between their Azure regions. Azure had a VNET outage, and it broke the Azure VPN gateway service. The outage showed up in their Azure console. They had to raise a ticket with Microsoft to get it fixed.
Have you tried raising a ticket with Azure Support?
I have but it hasn't solved anything other than the following response:
Our about azure VPN page now lists Cisco meraki’s as “Not compatible”,
And so does Cisco's page:
However please note the following as possible workarounds for this.
1.The Meraki VPN device cannot set a lifetime value in KB for Phase 2.
2.The drawback here is that policy-based tunnels require a one-to-one match against our lifetime values (both in seconds and KB) on both sides of the IPSec tunnel.
3.Based on mine and my team experience, working with Meraki devices located on-premise, tunnel sometimes connects fine and sometimes it goes down.
4.After working with different customer’s environment and running network captures, we identified the problem is when the Azure Gateway acts as initiator, we send the proposals and the Meraki device will be failing with policy match error.
5.Most of the customers try to setup the Quick Mode Security Association Life Time lower than 3600 so that they ensure the Meraki is always the initiator and the Azure Gateway is really flexible with this and will ignore the device didn’t send the LF in KB.
6.Currently, we don’t have an option from our side to edit the IKE/IPsec parameters.
7.Azure Gateway uses the IKE/IPsec values by default and cannot be changed.
As a workaround for connecting to a Cisco Meraki we offer a Virtual appliance.
I tried this proposed workaround, but sadly the tunnel still wouldn't come up, nor would a Meraki engineer support this idea. So in the end we've decided to let this site-to-site idea go and go explore the option of working with a virtual machine that runs something like pfSense or RouterOS to set up IKEv1 site-to-site connections and route them to the appropriate subnet.
perhaps we should start adding wishes in the dashboard.. 😃
Sourcenat is also a very very very hard missed feature.. not sure if i'm the only one who needs it?
Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?
i raised a support ticket for our mx84
the answer was ... (show below) - in short nothing in the short term but we can "make a wish" (puts note in bottle and throws into the sea)..;-)
"Unfortunately, we do not have an ETA on when we start supporting IKEv2.
Although this feature is not available, we take our customer feedback seriously. We encourage you to use the Meraki dashboard to "make a wish" and submit a feature request. You can submit a feature request at the bottom of any dashboard page. Any wish that is made sends an email to our Product Managers and Development Teams. These wishes are taken into consideration and are used to help shape our product roadmaps. The most wished-for items are incorporated into product development. "
>Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?
Meraki never provide dates for un-released features.
So ... Make a wish added .... we keep being notified to just 'make a wish' in Meraki to get the IKEv2 added so you can also use the AnyConnect client. We do have Meraki, BUT we are tired of seeing Windows security or network updates breaking the stupid Windows VPN client you have to use to connect in since "Microsoft" knows better than anyone else how your OWN VPN connection is configured ..... right, not!?!?! You can supposedly use AnyConnect IF, again, IF you are using the licensed Systems Manager .... and that's ONLY if you pay for that extra, and supposedly, but not natively using the AnyConnect client separately.
I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature. You have to contact Meraki Support to enable. I've tried that twice and both times the Support person had no idea what I was talking about.
I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature.
Correct me if I'm wrong, but doesn't the "S" in "Meraki SE" stand for Sales?
I believe se = "systems engineer", although it's a partner qualification related to assisting AM (account manager).
We also announced during the Quarterly that public betas are now available for an integration between the MX and Cisco Umbrella (similar to the just-launched MR/Umbrella integration) and for IKEv2. The latter includes support for route-based VPNs and stronger encryption algorithms for non-Meraki VPNs. To enable these betas, get in contact with Meraki Support.
So, it is available on Beta now!!!! Anybody testing it?
I just contacted the Meraki support.
I was asked to upgrade my firmware to beta and call them back to enable IKEv2.
Update is schedule for this evening. I will tell you how it worked.
I appreciate it! I'm a bit hesitant about it not being a general release, but we'll see how it goes for you!
Sorry. Everything went well. After updating the firmware I have access to IKE v2 parameters.
I had to configure my Azure VPN with powershell :
# first get your current connexion on Azure $connection = Get-AzVirtualNetworkGatewayConnection -Name "Office" -ResourceGroupName "Internal" # then create an IPSec policy whith the lifetime and DH Group you configured on Meraki $ipsecpolicy = New-AzIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA1 ` -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 ` -PfsGroup None -SALifeTimeSeconds 3600 # Apply policy to your connection Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -IpsecPolicies $ipsecpolicy -UsePolicyBasedTrafficSelectors $True
It is now working smoothly for a month and it solved a lot of our problems.
The only downside is that you have to use a VpnGw1 subscription on Azure VPN which cost more than base subscription but this is way less than a virtual MX.
If you have any other question let me know.
Have a nice day
PS There is a nice conversation about this : https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/49088#M12406
Now more than a Year.... Hate to be cynical, but is this just an artificial differentiation between ASA's and MX's. In place only to protect ASA market share? Or is there a technical reason?
@PJ51182 it is, use the 15.x release train. We have been running a 1500 user 9 site enterprise on MX15 since last summer. It has been stable with no major issues.
@cmr 15.x (15.29) as I type this is still in Beta. The stable release is 14.40 and the stable release candidate is 14.50.
I wouldn't be using Beta releases in a live environment. My question is when 15.x firmware will be released as the stable release?