cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Feature Request: IKEv2 Support in MX appliances

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

i raised a support ticket for our mx84

the answer was ... (show below) - in short nothing in the short term but we can "make a wish" (puts note in bottle and throws into the sea)..;-)

 

"Unfortunately, we do not have an ETA on when we start supporting IKEv2.



Although this feature is not available, we take our customer feedback seriously. We encourage you to use the Meraki dashboard to "make a wish" and submit a feature request. You can submit a feature request at the bottom of any dashboard page. Any wish that is made sends an email to our Product Managers and Development Teams. These wishes are taken into consideration and are used to help shape our product roadmaps. The most wished-for items are incorporated into product development. "

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>Have a new possible client where IKEv2 is a requirement, if we can get an ETA I might still be able to make it a Meraki solution?

 

Meraki never provide dates for un-released features.

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Hi Philip, I know this post is more than a year old, and while I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

vin

How did I get stuck doing this stuff?
Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

You can connect to Azure using a policy based VPN (which can use IKEv1):

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

 

But I'm with you - I don't see any reason for the industry to continue to use IKEv1.  IKEv2 is better in every way.  Death to IKEv1 I say!


Sorry Philip, I meant to quote the post I referenced above....

How did I get stuck doing this stuff?
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.

If you want to connect multiple S2S connections into Azure, this setup either requires a software termination (strongswan, etc, ugh) which then terminates multiple static routes from the Meraki, or another piece of hardware, like an on-premise Cisco 891 that supports dynamic routes using IKEv2.

Supporting IKEv2 dynamic routes to get a better OOB experience with multiple Meraki's + Azure would be ideal, since it would eliminate either 1) a virtual appliance thats needed to terminate static routes in Azure, or 2) additional on-premise hardware thats supports dynamic route-based vpns (specifically for folks with multiple s2s needs)

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@TimW wrote:

Yes, while IKEv1 will work with a single S2S connection, it does not work for multiple S2S connections in Azure.


Thanks Tim! As you can probably surmise from my signature, networking is not my forte, but alas here I am. I want to move our (small) office's network domain and Active Directory to Azure so I can retire the dinosaur currently running Windows Server 2008! Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

How did I get stuck doing this stuff?
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

@VinAllen wrote:

Will a single S2S connection work for remote employees who currently VPN into the MX in order to access the network?

A single s2s to Azure with employees coming into the Meraki will work just fine (prob some routes to configure in there, but nothing additional should be needed).

I like to think I encompass the 80%er's of Meraki's line up. We love them. This thread is quite literally the only gripe I have about the MX line up 🙂

Best of luck! Consider looking into the AD Connect tool for syncing up identities into Azure (we went though a similar migration a while back)

 

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>... I did see your other post about using StrongSwan to create a Meraki to Azure VPN, the Microsoft documentation for >creating a policy-based VPN still mentions requiring a compatible VPN gateway (I'm looking at you Cisco). Are you >saying we can ignore that? I am concerned about the expense of adding another VM for the StrongSwan solution.

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.

Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

If you use StrongSwan then you don't use the Microsoft policy based VPN.  From memory, the VM to run StrongSwan is cheaper than the Microsoft policay based VPN service.


Indeed! Strongswan in this scenario is a replacement for the RRAS hosted solution Azure provides. The only downside is you're on your own for making StrongSwan highly available / redundant

 

We're in a spot where we'd gladly pay extra for the stability/simplicity that comes with the hosted solution versus us having to setup our own redundant strongswan VMs

 

I feel like its also unanimous by reading this thread that folks want the simpler implementation of IKEv2 on the MX line, instead of getting into the weeds of StrongSwan (or another appliance)

Kind of a big deal

Re: Feature Request: IKEv2 Support in MX appliances

>The only downside is you're on your own for making StrongSwan highly available / redundant

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).

 

You can filter on "VPN Gateway":

https://azure.microsoft.com/en-us/status/history/

Here to help

Re: Feature Request: IKEv2 Support in MX appliances


@PhilipDAth wrote:

 

Amongst all my customers, in the year to date so far, none has had a Strongswan outage, and one has had an Azure VPN outage (and they actually got a credit from Microsoft for it).


We were hit by the same 9/4 outage in the Texas datacenter (IIRC, we too got a credit back too!)

 

All good things to consider, and yes, we have crazy up-time on servers as well so it wouldn't likely be a problem. We live in a 'SLA required' world. 

 

I couldnt agree more that StrongSwan is a good solution. Is it good for everyone? No. Could Meraki close the gap? Of course! 🙂

Ben
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances

Although this feature is not available, we take our customer feedback seriously

Perhaps this person should get a look on this thread.. 

 

The same problem with sourcenat not beeing available on a 10.000$ - 20.000$ MX while a stupid Router of 100$ you can get in the supermarket does support this... 

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Now more than a Year.... Hate to be cynical, but is this just an artificial differentiation between ASA's and MX's.  In place only to protect ASA market share?  Or is there a technical reason?

New here

Re: Feature Request: IKEv2 Support in MX appliances

Ben, I do not agree with you ...

 

 

______________________

Nyrenthia

ShowBox-apk

Ben
A model citizen

Re: Feature Request: IKEv2 Support in MX appliances


@Nyrenthia wrote:

Ben, I do not agree with you ...

 

 

______________________

Nyrenthia

ShowBox-apk


 

And that's your full right. I guess you don't have customers needing source nat or any of the missing features. 😃 

 

Cheers,

Ben

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

So ... Make a wish added .... we keep being notified to just 'make a wish' in Meraki to get the IKEv2 added so you can also use the AnyConnect client. We do have Meraki, BUT we are tired of seeing Windows security or network updates breaking the stupid Windows VPN client you have to use to connect in since "Microsoft" knows better than anyone else how your OWN VPN connection is configured ..... right, not!?!?! You can supposedly use AnyConnect IF, again, IF you are using the licensed Systems Manager .... and that's ONLY if you pay for that extra, and supposedly, but not natively using the AnyConnect client separately.



T Roberts
A+, Network+, MCP, Dell and CMNO
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

Request still alive.  IKEv2 for Always on VPN would be nice..

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature. You have to contact Meraki Support to enable. I've tried that twice and both times the Support person had no idea what I was talking about.

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances


@ClaytonMeyer wrote:

I was told recently, by a Meraki SE, that IKEv2 was in fact supported but was a hidden feature.


Correct me if I'm wrong, but doesn't the "S" in "Meraki SE" stand for Sales?

 

Just sayin'.

How did I get stuck doing this stuff?
Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I believe se = "systems engineer", although it's a partner qualification related to assisting AM (account manager).

Getting noticed

Re: Feature Request: IKEv2 Support in MX appliances

See: https://meraki.cisco.com/blog/2019/04/recap-meraki-quarterly-april-2019/

 

We also announced during the Quarterly that public betas are now available for an integration between the MX and Cisco Umbrella (similar to the just-launched MR/Umbrella integration) and for IKEv2. The latter includes support for route-based VPNs and stronger encryption algorithms for non-Meraki VPNs. To enable these betas, get in contact with Meraki Support.

 

So, it is available on Beta now!!!! Anybody testing it?

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

I just contacted the Meraki support.

I was asked to upgrade my firmware to beta and call them back to enable IKEv2.

Update is schedule for this evening. I will tell you how it worked.

Here to help

Re: Feature Request: IKEv2 Support in MX appliances

I appreciate it!  I'm a bit hesitant about it not being a general release, but we'll see how it goes for you!

New here

Re: Feature Request: IKEv2 Support in MX appliances

@Signix  any update on this?

Conversationalist

Re: Feature Request: IKEv2 Support in MX appliances

Sorry. Everything went well. After updating the firmware I have access to IKE v2 parameters.merakiPhase2.png

 

I had to configure my Azure VPN with powershell :

 

 

# first get your current connexion on Azure
$connection = Get-AzVirtualNetworkGatewayConnection -Name "Office" -ResourceGroupName "Internal"

# then create an IPSec policy whith the lifetime and DH Group you configured on Meraki
$ipsecpolicy = New-AzIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA1 `
-IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 `
-PfsGroup None -SALifeTimeSeconds 3600


# Apply policy to your connection
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -IpsecPolicies $ipsecpolicy -UsePolicyBasedTrafficSelectors $True

 

 

It is now working smoothly for a month and it solved a lot of our problems.

The only downside is that you have to use a VpnGw1 subscription on Azure VPN which cost more than base subscription but this is way less than a virtual MX.

 

If you have any other question let me know.

Have a nice day

PS There is a nice conversation about this : https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/m-p/49088#M12406

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.