IKEv2 support on MX devices any update
Solved! Go to solution.
There is IKEv2 support for 3rd Party VPN on 15.12+ beta and this is enabled via support. UI is in the works but not here yet.
Security Level v2 is also available on Auto-VPN in 14.latest. Again enabled in the backend for now
[Mod note: See also the documentation here, which says: "Please note that IKEv2 is only supported on MX Security Appliances that are running firmware version 15.12 or higher. This version of IKE must also be enabled by Cisco Meraki support in order to function."]
Pure speculation - but 14.x is being pushed out like craxy to MX. Soon that means 13.x will dropp off as an option, which means 15.x can be added .... and 15.x has IKEv2.
@PhilipDAth wrote:Pure speculation - but 14.x is being pushed out like craxy to MX. Soon that means 13.x will dropp off as an option, which means 15.x can be added .... and 15.x has IKEv2.
Are the firmware versions the same for all countries? I keep thinking we are behind on versioning in EU..
Stable release candidate 14.39 but beta => coming soon without version numbers of features listed.
I believe it is the same in all countries - but it gets rolled out shard by shard. Usually once they start all the shards are done within 24 hours.
Just to flesh this response out a little bit - I've asked Meraki tech support and specifically IKEv2 support is available in MX Wired 15.12 and above. They have also said that for IKEv2 to work would require adding a back end feature. I assume this means manually activating something in the specific MX cloud account so perhaps the configuration options are visible. I'm assuming that we will need to get them on the phone to get this firmware applied and IKEv2 features activated. The usual caveats surrounding the fact this is very early Beta firmware also apply - you'd be brave to run this in a production environment.
We have a client using Azure to host Microsoft Navision. They have 3 sites utilising an MX84 at the head office and two MX64s at the remote sites. Currently the MX84 connects to Azure using an IKEv1 non-meraki peer which works perfectly for that site, but as is well documented the problem we have is that the non-peer route isn't advertised to the neighbouring MX64s - so no one at the two remote sites can access Navision over the Meraki Auto-VPN links and you can't have multiple IKEv1 connections to Azure.
Not wanting to spend money an a vMX100 which would only be used to terminate the VPN we've worked around it till now using the Client VPN feature - users at the two remote sites that need access to Navision simply "dial in" to the MX84. Of course that does make the two MX64s somewhat redundant for those users!
So yes, we've been waiting patiently for this feature too and I think it should be a source of embarrassment that its taken this long to implement it when cheaper less functional firewalls in the Cisco range have had it for a long time. Cisco Meraki is shown as "Not Compatible" when it comes to the list of site to site Azure VPN Gateway devices on Microsofts website - equally embarrassing I feel given the target market for these devices.
You can't help but feel this has been a commercial decision to force people into buying the vMX100.
Anyway there is finally light at the end of the tunnel it seems - lets see how quickly MX 15.x is rolled into release candidate status and IKEv2 is finally a standard feature.
I'm running wired 15.12 and just asked support to enable IKEv2 for an existing non-Merai VPN and got back a "no can do".
@PhilipDAth Well that's annoying..... you and I are being told different things. Did they give any reason?
Have you actually managed to get it turned on?
Not yet - haven't got a non-production MX available at this moment in time. Should have something to play with a couple of days.
@Andrew3 Based on the info Meraki Support have given me - yes - 15.12 has it but you will also need to call in to get them to enable a "back end" feature. It will be interesting to see what sort of response you get - it seems the advice from Meraki Support is a bit mixed at present.
I called support yesterday, below was their response.
Name of the Customer: Jason
Callback Number: ********
------------------------
What problems were discussed:
-Is IKEv2 coming, and is it usable now.
------------------------
What actions were taken:
-It can be activated on the back-end for specific VPN tunnels in the latest beta 15.12.
-Currently there isn't any documentation or information available publicly.
------------------------
What are the next steps:
-None.
I'll get MX68CW on friday. i'll try then.
There is IKEv2 support for 3rd Party VPN on 15.12+ beta and this is enabled via support. UI is in the works but not here yet.
Security Level v2 is also available on Auto-VPN in 14.latest. Again enabled in the backend for now
[Mod note: See also the documentation here, which says: "Please note that IKEv2 is only supported on MX Security Appliances that are running firmware version 15.12 or higher. This version of IKE must also be enabled by Cisco Meraki support in order to function."]
Hello
I've got finally meraki MX68CW I'm on 15.13 firmware right now.
How i can enable IKEv2 for non meraki devices ? I have to sent a service request ?
@Andrew3 Based on the information we have so far - yes. In fact its probably best to call them as they need to enable IKEv2 manually and I'm assuming it would probably be sensible to be talking to someone so you can test it there and then - apparently there is nothing in the GUI yet.
15.13 is new - released on Friday by the looks of it - still no mention of IKEv2 in the write up...
I've sent ticket from the device.
We'll see what they respond.
For now ticket is assigned
This was today in Webinar not sure if you have to call but it does say that.
I can't believe Meraki built a "Firewall" that doesn't support all of the modern security protocols. That is bad but the thing that really blows me away is that anyone would buy it. Is there anyone else out there that thinks that not including modern security protocols in a firewall is a bad idea?
Are you kidding me? I have to contact Meraki TAC to get IKEv2 enabled? This is garbage
I can confirm that on MX 15.20 at least, we were able to get ikev2 working. We have a customer that connects to Azure directly, and they didn't want to by the vMX100 so ikev2 was a requirement. We had to open a call with Meraki support and kind of raise hell with them but they complied with our request and so far things seem to be working well, it's been almost 2 weeks now without any problems.
I'll hang in her with a question.
Since when is this option active? (IKE Version)
We experienced an issue this weekend and had no clue where the problem has been caused because no settings on either site had been changed.
Every site showed a green light on connected but no access from/to azure or on-prem was possible. Today we switched the IKE Version to v2 and everything worked fine again, turning it back to v1 closed all traffic again. The weird thing at all, Azure is configured for IKEv1.
We are now a bit confused what's causing this behavior. We also opened a case at Microsoft.
Customers equipment:
MX67 running 14.42
It's only active in recent 15.x code to the best of my knowledge.
Yes, that's what the docs say, but why am I loosing connection if switching now between v1 and v2? Something could be wrong in the code.
@MeredithW any date when this was released? I need to know whom am I going to blame for the support invoice 🙂
About to order a MX67, just in time for IKEv2 support.
I'd love to find someone getting this working.
Requested support team to enable IKEv2 in one of the MX68 (running 15.13) . Now I am able to setup tunnel . All looks good 🙂
Apr 19 08:11:42 sou3208190.lnk.xxxxxxxx.net 1555661502.214205514 DoubleBay_MX flows src=xxx.156.172.4 dst=xxx.54.176.242 protocol=udp sport=500 dport=500 pattern: 0 udp && (dst port 500 || dst port 4500) && dst xxx.54.176.242 Apr 19 08:11:42 sou3208190.lnk.xxxxxxxxxx.net 1555661502.807873433 DoubleBay_MX events Site-to-Site VPN: <remote-peer-2|1> IKE_SA remote-peer-2[1] established between xxx.54.176.242[xxx.54.176.242]...xxx.156.172.4[xxx.156.172.4]
I can confirm Meraki will enable IKEv2 per MX on v15.x firmware via support call. A couple interesting notes:
-When you switch MX to IKEv2 you no longer have ability to do IKEv1 tunnels (all or nothing)
-Despite Site-to-Site VPN settings being org-wide, this is currently done per MX (i.e. if you enable IKEv2 on one MX but have IKEv1 tunnels on other MX's in same org, they will NOT be affected).
The way it was explained to me is that the ike_v2 option is only enabled Per Configuration. and they will name your configuration specifically. so I have a Azure IKE_V2 Tunnel and its connected.
and I have Old tunnels on same MX which are still using IKE_V1. Although I would prefer your described option as having them all be IKE_v2
Hi, would you mind sharing what exact configuration did the trick.. on both MX and Azure end.
In our lab we have an MX64 with the 15.13 beta firmware and IKEv2 enabled.
I've worked with Meraki and MS support but still no dice.
Your Azure Gateway is Route Based yes? There is not much to the configuration to get tunnel UP.
Public IP address of MX and Azure Gateway, and Shared Key in Sync.
if you MX has multiple Internet 1 and Internet 2 and you have it set to failover make sure your using the ACTIVE public IP and not the ip of the failover WAN.
once the tunnel is up Routing is the next battle.
Thanks for the reply.
Gateway is route based.
i tried a few different things.. starting simple with:
Azure side: default setting on the gateway connection.
Meraki: Azure policy (with Meraki support enabling IKEv2 on the back-end)
this resulted in the tunnel showing as connecting in azure and as establishing and tearing down on Meraki side.
After a call to Meraki, they informed me that IKEv2 is hard set to 3600s lifetime on their side on both phases and I need to match that in Azure, they also recommend that I hard specify an encryption algorithm on Azure side, which I did by creating an ipsecpolicy via powershell with AES256 SHA1 dfgroup 2 for phase 1 and AES256 SHA1 no PFS for phase 2.
this unfortunately had the same result.
I presume that you have a Local Network Gateway which contains your Public IP of your MX device. for troubleshooting I might suggest to make a new Vnet just for temp testing. Add a new gateway to that Vnet Then add a new connection selecting your Local Network gateway which includes the public IP of your MX.
double check the shared Key.
The tunnel should connect even if your routed subnets are incomplete.
You might also delete your current gateway and create a new one but this will break the connection with any webapps you have to that Vnet, IF your not using the gateway for anything other than the MX it should not disrupt any services. IT takes 30 minutes to build a gateway.
Also before you make any changes I would just reset your VPN gateway to see if it establishes a connection.
Click on Gateway then look in side Blade for reset.
I did not have to do any powershell settings soon as I updated to beta firmware the MX came online.
really strange and I am not sure if it is a limitation somewhere with Meraki, but when i decreased the address space from /22 to a /23 and updated accordingly in Meraki the tunnel came up.
That is interesting actually. I did not configure any subnets till after the tunnel, I should add a /22 and see if it takes the tunnel down.
For reference here is the procedure to change the lifetime on Azure as recommended by Meraki support.
Connect to azure Powershell and execute the following commands :
Get existing connexion :
$vpnconnection = Get-AzVirtualNetworkGatewayConnection -Name CONNEXION_NAME-ResourceGroupName RESSOURCE_GROUPE
Create IKEv2 Policy (Default for Meraki is AES256 Encryption for both phase and SHA1 Integrity.
$ipsecpolicy = New-AzIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA1 `
-IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 `
-PfsGroup None -SALifeTimeSeconds 3600
Set policy for connexion
Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $ipsecpolicy6 -UsePolicyBasedTrafficSelectors $True
Note that once IKEv2 is activated in Meraki you can change the algorithms supported.
I have IKEv2 enabled on all of my Meraki MX devices (MX64, MX65, MX68) now.
My client VPNs from Windows 10 clients now work!
My non-Meraki S2S VPN tunnels are working, but my non-Meraki S2S VPN tunnels to Meraki devices in different organizations are all failing. I am currently on the phone with Meraki support trying to figure out what is broken.
Are the settings still Hidden or has Meraki changed anything there?
I have a Dialog stating these settings are overridden.
The settings are not available in the GUI yet.
You still need to ask Meraki to enable IKEv2.
I think that you can then change the configuration using the GUI (not tested)
You can change some of the settings, but the IKEv2 is still hidden. You cannot change the order of the connections, as the settings on the backend (hidden) are position specific.
Any one using IKEv2 in production?
I have 3 Meraki sites connected to Azure VPN gateway and IPSEC tunnel is not stable. The link is stable the but IPSEC tunnel flapped randomly and all 3 sites have same issue. Getting following event logs:
May 17 16:13:09 | Non-Meraki / Client VPN negotiation | msg: <remote-peer-2|2796> CHILD_SA net-2{4534} established with SPIs cbc00e6e(inbound) 56318360(outbound) and TS 192.168.90.0/24 === 10.0.0.0/16 | |
May 17 16:13:03 | Non-Meraki / Client VPN negotiation | msg: <remote-peer-2|2796> IKE_SA remote-peer-2[2796] established between 203.54.xxx.xxx[203.54.xxx.xxx]...52.187.xxx.xxx[52.187.xxx.xxx] | |
May 17 16:08:41 | time: 1558073318, pkts_recv: 141831, daq_analyzed: 141831 more » | ||
May 17 16:05:24 | Non-Meraki / Client VPN negotiation | msg: <remote-peer-2|2793> CHILD_SA net-2{4532} established with SPIs ce309784(inbound) aa7423e2(outbound) and TS 192.168.90.0/24 === 10.0.0.0/16 | |
May 17 16:05:14 | Non-Meraki / Client VPN negotiation | msg: <remote-peer-2|2793> IKE_SA remote-peer-2[2793] established between 203.54.xxx.xxx[203.54.xxx.xxx]...52.187.xxx.xxx[52.187.xxx.xxx] | |
May 17 16:05:14 | Non-Meraki / Client VPN negotiation | msg: <remote-peer-2|2792> deleting IKE_SA remote-peer-2[2792] between 203.54.xxx.xxx[203.54.xxx.xxx]...52.187.xxx.xxx[52.187.xxx.xxx] |
There is another tunnel between DrayTek Vigore and same Azure VPN gateway which is working fine.
Anybody having issue like this?
I have tried checking the issue with Microsoft support team. They informed me that Meraki is not compatible with Azure VPN gateway, which is very unfortunate 😞
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#known
Thanks
I have 2 connections to Azure, one is IKE_v2 with Azure route based Gateway and it has the same Drops as you describe above. I have another connection to azure using the vMX and the Logs show connectivity: true connectivity false quite often 8-10 times a day.
What is your frequency of those Established and Deleting and do you lose connection and have to do something to reestablish manually?
Well it is very random. Drops are very frequent; more than 8-10 times a day. Loose connection between sites. Don't have to do anything. Tunnel comes up again automatically.
It is not difficult, you should have already created a GatewaySubnet from your main Vnet, then you add that to your Virtual Network Gateway
Create a Local network Gateway with the public IP of your MX.
then you ADD Connection and put in same shared secret on both sides.
the settings on the MX are just the Public IP IP of your VirtualNetworkGateway and the shared Secret all other settings are hidden.
Many thanks for that. After a bit of trial and error the azure vpn came up, as per the above. But we also have a second IPSec tunnel, to a data centre. The first listed tunnel works and the second one doesn’t, if the ordering is changed the same happens, still looking into this though.
Are you actually using IKE v2 for the Client VPN's?
We have asked to have IKEv2 enabled and we no longer see aggressive mode which is great but we want to use full IKE v2 so we can rollout our VPNs using Microsoft Intune.
Am I missing something here?
Thank you for any help
>Are you actually using IKE v2 for the Client VPN's?
The support is only for non-Meraki site to site VPNs.
Ok the person I talked to at Meraki I support didn't even know this...
Is this something that would be relatively easy for them to fix. I presume this is just GUI related now they are actually supporting IKE v 2 on the system
@ChrisStewart there are a number of ways they could persue this.
You could make it so the system tries to establish an IKEv2 connection and then drops back to IKEv1. ASA's can do this. This would involve no GUI changes, but it would break some things so support would have to be able to change it.
They could provide an extra "toggle" so it can be set per-non Meraki VPN.
One thing I do know - they will be wanting to make it Meraki simple.
We had been using the Beta firmware and IKEV2 tunnels with success, but then our MX84 started rebooting every 11 minutes. In oneday it rebooted over 200 times with a lot of very unhappy users.
The issue was caused by an exception in a process which caused flash drive to fill and run out of space, to clear the space the unit would restart.
This is a known issue in the beta firmware, as a result we had to downgrade and have now lost the IKEV2 tunnels.
We urgently need to see IKEV2 ability in the 14 firmware, or the 15 beta issues fixed.
WE ended up using the Virtual MX in Azure and it has been very stable for Months now.