cancel
Showing results for 
Search instead for 
Did you mean: 

IKEv2 support on MX devices

SOLVED
Conversationalist

IKEv2 support on MX devices

IKEv2 support on MX devices any update

1 ACCEPTED SOLUTION

Accepted Solutions
Meraki Employee

Re: IKEv2 support on MX devices

There is IKEv2 support for 3rd Party VPN on 15.12+ beta and this is enabled via support. UI is in the works but not here yet.
Security Level v2 is also available on Auto-VPN in 14.latest. Again enabled in the backend for now

 

[Mod note: See also the documentation here, which says: "Please note that IKEv2 is only supported on MX Security Appliances that are running firmware version 15.12 or higher. This version of IKE must also be enabled by Cisco Meraki support in order to function."]

47 REPLIES 47
Kind of a big deal

Re: IKEv2 support on MX devices

You'll need an official response from a Meraki employee. Right now I would guess that it probably won't be anytime soon, however I think I heard a rumor that they might be trying to get this by end of year? I know they are aware of it though.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Kind of a big deal

Re: IKEv2 support on MX devices

Pure speculation - but 14.x is being pushed out like craxy to MX.  Soon that means 13.x will dropp off as an option, which means 15.x can be added .... and 15.x has IKEv2.

Kind of a big deal

Re: IKEv2 support on MX devices

Oh really? Did not know that =)
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Ben
A model citizen

Re: IKEv2 support on MX devices

 


@PhilipDAth wrote:

Pure speculation - but 14.x is being pushed out like craxy to MX.  Soon that means 13.x will dropp off as an option, which means 15.x can be added .... and 15.x has IKEv2.


Are the firmware versions the same for all countries?  I keep thinking we are behind on versioning in EU.. 

Stable release candidate 14.39 but beta => coming soon without version numbers of features listed.

Kind of a big deal

Re: IKEv2 support on MX devices

I believe it is the same in all countries - but it gets rolled out shard by shard.  Usually once they start all the shards are done within 24 hours.

Here to help

Re: IKEv2 support on MX devices

Just to flesh this response out a little bit - I've asked Meraki tech support and specifically IKEv2 support is available in MX Wired 15.12 and above. They have also said that for IKEv2 to work would require adding a back end feature. I assume this means manually activating something in the specific MX cloud account so perhaps the configuration options are visible. I'm assuming that we will need to get them on the phone to get this firmware applied and IKEv2 features activated. The usual caveats surrounding the fact this is very early Beta firmware also apply - you'd be brave to run this in a production environment. 

 

We have a client using Azure to host Microsoft Navision. They have 3 sites utilising an MX84 at the head office and two MX64s at the remote sites. Currently the MX84 connects to Azure using an IKEv1 non-meraki peer which works perfectly for that site, but as is well documented the problem we have is that the non-peer route isn't advertised to the neighbouring MX64s - so no one at the two remote sites can access Navision over the Meraki Auto-VPN links and you can't have multiple IKEv1 connections to Azure.

Not wanting to spend money an a vMX100 which would only be used to terminate the VPN we've worked around it till now using the Client VPN feature - users at the two remote sites that need access to Navision simply "dial in" to the MX84. Of course that does make the two MX64s somewhat redundant for those users! 

So yes, we've been waiting patiently for this feature too and I think it should be a source of embarrassment that its taken this long to implement it when cheaper less functional firewalls in the Cisco range have had it for a long time. Cisco Meraki is shown as "Not Compatible" when it comes to the list of site to site Azure VPN Gateway devices on Microsofts website - equally embarrassing I feel given the target market for these devices. 

You can't help but feel this has been a commercial decision to force people into buying the vMX100. 

Anyway there is finally light at the end of the tunnel it seems - lets see how quickly MX 15.x is rolled into release candidate status and IKEv2 is finally a standard feature. 

Kind of a big deal

Re: IKEv2 support on MX devices

I'm running wired 15.12 and just asked support to enable IKEv2 for an existing non-Merai VPN and got back a "no can do".

Here to help

Re: IKEv2 support on MX devices

@PhilipDAth  Well that's annoying..... you and I are being told different things. Did they give any reason? 

Kind of a big deal

Re: IKEv2 support on MX devices

Have you actually managed to get it turned on?

Here to help

Re: IKEv2 support on MX devices

Not yet - haven't got a non-production MX available at this moment in time. Should have something to play with a couple of days.

Comes here often

Re: IKEv2 support on MX devices

I'll get MX68CW in 2 days so i can test firmware 15 in theory. should IKEv2 work on v15 ?
Here to help

Re: IKEv2 support on MX devices

@Andrew3  Based on the info Meraki Support have given me - yes - 15.12 has it but you will also need to call in to get them to enable a "back end" feature. It will be interesting to see what sort of response you get - it seems the advice from Meraki Support is a bit mixed at present. 

Just browsing

Re: IKEv2 support on MX devices

I called support yesterday, below was their response. 

 

Name of the Customer: Jason
Callback Number: ********
------------------------
What problems were discussed:
-Is IKEv2 coming, and is it usable now.

------------------------
What actions were taken:
-It can be activated on the back-end for specific VPN tunnels in the latest beta 15.12.
-Currently there isn't any documentation or information available publicly.

------------------------
What are the next steps:
-None.

Here to help

Re: IKEv2 support on MX devices

That's positive news. I guess we are kind of making information public here....
Anyway - is anybody able to give it a try? I've got an MX64 here but no time to do it!
Comes here often

Re: IKEv2 support on MX devices

I'll get MX68CW on friday. i'll try then. 

Meraki Employee

Re: IKEv2 support on MX devices

There is IKEv2 support for 3rd Party VPN on 15.12+ beta and this is enabled via support. UI is in the works but not here yet.
Security Level v2 is also available on Auto-VPN in 14.latest. Again enabled in the backend for now

 

[Mod note: See also the documentation here, which says: "Please note that IKEv2 is only supported on MX Security Appliances that are running firmware version 15.12 or higher. This version of IKE must also be enabled by Cisco Meraki support in order to function."]

Comes here often

Re: IKEv2 support on MX devices

Hello

 

I've got finally meraki MX68CW I'm on 15.13 firmware right now. 

How i can enable IKEv2 for non meraki devices ? I have to sent a service request ?

Here to help

Re: IKEv2 support on MX devices

@Andrew3  Based on the information we have so far - yes. In fact its probably best to call them as they need to enable IKEv2 manually and I'm assuming it would probably be sensible to be talking to someone so you can test it there and then - apparently there is nothing in the GUI yet.

 

15.13 is new - released on Friday by the looks of it - still no mention of IKEv2 in the write up... 

Comes here often

Re: IKEv2 support on MX devices

I've sent ticket from the device. 

We'll see what they respond. 

For now ticket is assigned

 

Getting noticed

Re: IKEv2 support on MX devices

This was today in Webinar not sure if you have to call but it does say that.

webinar.jpg

Here to help

Re: IKEv2 support on MX devices

@Andrew3 - did you get any joy or success with your IKEv2 test?

Conversationalist

Re: IKEv2 support on MX devices

About to order a MX67, just in time for IKEv2 support.

 

I'd love to find someone getting this working.

Highlighted
Conversationalist

Re: IKEv2 support on MX devices

Requested support team to enable IKEv2 in one of the MX68 (running 15.13) . Now I am able to setup tunnel . All looks good :-)

 

Apr 19 08:11:42 sou3208190.lnk.xxxxxxxx.net  1555661502.214205514 DoubleBay_MX flows src=xxx.156.172.4 dst=xxx.54.176.242 protocol=udp sport=500 dport=500 pattern: 0 udp && (dst port 500 || dst port 4500) && dst xxx.54.176.242
Apr 19 08:11:42 sou3208190.lnk.xxxxxxxxxx.net  1555661502.807873433 DoubleBay_MX events Site-to-Site VPN: <remote-peer-2|1> IKE_SA remote-peer-2[1] established between xxx.54.176.242[xxx.54.176.242]...xxx.156.172.4[xxx.156.172.4]
Getting noticed

Re: IKEv2 support on MX devices

I can confirm Meraki will enable IKEv2 per MX on v15.x firmware via support call. A couple interesting notes:

-When you switch MX to IKEv2 you no longer have ability to do IKEv1 tunnels (all or nothing)

-Despite Site-to-Site VPN settings being org-wide, this is currently done per MX (i.e. if you enable IKEv2 on one MX but have IKEv1 tunnels on other MX's in same org, they will NOT be affected).

Conversationalist

Re: IKEv2 support on MX devices

Hi, would you mind sharing what exact configuration did the trick.. on both MX and Azure end.
In our lab we have an MX64 with the 15.13 beta firmware and IKEv2 enabled.
I've worked with Meraki and MS support but still no dice.

Getting noticed

Re: IKEv2 support on MX devices

The way it was explained to me is that the ike_v2 option is only enabled Per Configuration. and they will name your configuration specifically.  so I have a Azure IKE_V2 Tunnel and its connected.

and I have Old tunnels on same MX which are still using IKE_V1.  Although I would prefer your described option as having them all be IKE_v2

 

Getting noticed

Re: IKEv2 support on MX devices

Your Azure Gateway is Route Based yes?  There is not much to the configuration to get tunnel UP.

Public IP address of MX and Azure Gateway, and Shared Key in Sync.

if you MX has multiple Internet 1 and Internet 2 and you have it set to failover make sure your using the ACTIVE public IP and not the ip of the failover WAN.

once the tunnel is up Routing is the next battle.

 

Conversationalist

Re: IKEv2 support on MX devices

Thanks for the reply.

Gateway is route based.

i tried a few different things.. starting simple with:

Azure side: default setting on the gateway connection.

Meraki: Azure policy (with Meraki support enabling IKEv2 on the back-end)

this resulted in the tunnel showing as connecting in azure and as establishing and tearing down on Meraki side.

 

After a call to Meraki, they informed me that IKEv2 is hard set to 3600s lifetime on their side on both phases and I need to match that in Azure, they also recommend that I hard specify an encryption algorithm on Azure side, which I did by creating an ipsecpolicy via powershell with AES256 SHA1 dfgroup 2 for phase 1 and AES256 SHA1 no PFS for phase 2.

this unfortunately had the same result.

 

 

Getting noticed

Re: IKEv2 support on MX devices

I presume that you have a Local Network Gateway which contains your Public IP of your MX device. for troubleshooting I might suggest to make a new Vnet just for temp testing.  Add a new gateway to that Vnet Then add a new connection selecting your Local Network gateway which includes the public IP of your MX.

double check the shared Key.

The tunnel should connect even if your routed subnets are incomplete.

 

You might also delete your current gateway and create a new one but this will break the connection with any webapps you have to that Vnet, IF your not using the gateway for anything other than the MX it should not disrupt any services. IT takes 30 minutes to build a gateway.

 

Also before  you make any changes I would just reset your VPN gateway to see if it establishes a connection.

Click on Gateway then look in side Blade for reset.

 

I did not have to do any powershell settings soon as I updated to beta firmware the MX came online.

 

ike_v2 MX tunnel to azure.JPG

Conversationalist

Re: IKEv2 support on MX devices

really strange and I am not sure if it is a limitation somewhere with Meraki, but when i decreased the address space from /22 to a /23 and updated accordingly in Meraki the tunnel came up.

Getting noticed

Re: IKEv2 support on MX devices

That is interesting actually.  I did not configure any subnets till after the tunnel, I should add a /22 and see if it takes the tunnel down.

 

Conversationalist

Re: IKEv2 support on MX devices

For reference here is the procedure to change the lifetime on Azure as recommended by Meraki support.

 

Connect to azure Powershell and execute the following commands :

Get existing connexion :

$vpnconnection = Get-AzVirtualNetworkGatewayConnection -Name CONNEXION_NAME-ResourceGroupName RESSOURCE_GROUPE

Create IKEv2 Policy (Default for Meraki is AES256 Encryption for both phase and SHA1 Integrity.

$ipsecpolicy = New-AzIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA1 `
-IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 `
-PfsGroup None -SALifeTimeSeconds 3600

Set policy for connexion

 

Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection6 -IpsecPolicies $ipsecpolicy6 -UsePolicyBasedTrafficSelectors $True

Note that once IKEv2 is activated in Meraki you can change the algorithms supported.

 

Conversationalist

Re: IKEv2 support on MX devices

I have IKEv2 enabled on all of my Meraki MX devices (MX64, MX65, MX68) now.

 

My client VPNs from Windows 10 clients now work!

 

My non-Meraki S2S VPN tunnels are working, but my non-Meraki S2S VPN tunnels to Meraki devices in different organizations are all failing. I am currently on the phone with Meraki support trying to figure out what is broken.

Getting noticed

Re: IKEv2 support on MX devices

Are the settings still Hidden or has Meraki changed anything there?

I have a Dialog stating these settings are overridden.

Kind of a big deal

Re: IKEv2 support on MX devices

The settings are not available in the GUI yet.

Conversationalist

Re: IKEv2 support on MX devices

You still need to ask Meraki to enable IKEv2.

I think that you can then change the configuration using the GUI (not tested)merakiPhase2.png

Conversationalist

Re: IKEv2 support on MX devices

You can change some of the settings, but the IKEv2 is still hidden. You cannot change the order of the connections, as the settings on the backend (hidden) are position specific.

Here to help

Re: IKEv2 support on MX devices

Any one using IKEv2 in production?

 

I have 3 Meraki sites connected to Azure VPN gateway and IPSEC tunnel is not stable. The link is stable the but IPSEC tunnel flapped randomly and all 3 sites have same issue. Getting following event logs:

 

May 17 16:13:09 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2796> CHILD_SA net-2{4534} established with SPIs cbc00e6e(inbound) 56318360(outbound) and TS 192.168.90.0/24 === 10.0.0.0/16
May 17 16:13:03 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2796> IKE_SA remote-peer-2[2796] established between 203.54.xxx.xxx[203.54.xxx.xxx]...52.187.xxx.xxx[52.187.xxx.xxx]
May 17 16:08:41  time: 1558073318, pkts_recv: 141831, daq_analyzed: 141831  more »
May 17 16:05:24 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2793> CHILD_SA net-2{4532} established with SPIs ce309784(inbound) aa7423e2(outbound) and TS 192.168.90.0/24 === 10.0.0.0/16
May 17 16:05:14 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2793> IKE_SA remote-peer-2[2793] established between 203.54.xxx.xxx[203.54.xxx.xxx]...52.187.xxx.xxx[52.187.xxx.xxx]
May 17 16:05:14 Non-Meraki / Client VPN negotiationmsg: <remote-peer-2|2792> deleting IKE_SA remote-peer-2[2792] between 203.54.xxx.xxx[203.54.xxx.xxx]...52.187.xxx.xxx[52.187.xxx.xxx]

 

There is another tunnel between DrayTek Vigore and same Azure VPN gateway which is working fine. 

 

Anybody having issue like this?

 

I have tried checking the issue with Microsoft support team. They informed me that Meraki is not compatible with Azure VPN gateway, which is very unfortunate :-(

 

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#known

 

Thanks

 

Getting noticed

Re: IKEv2 support on MX devices

I have 2 connections to Azure, one is IKE_v2 with Azure route based Gateway and it has the same Drops as you describe above.  I have another connection to azure using the vMX  and the Logs show connectivity: true connectivity false quite often 8-10 times a day.

What is your frequency of those Established and Deleting and do you lose connection and have to do something to reestablish manually?

 

 

Here to help

Re: IKEv2 support on MX devices

Well it is very random. Drops are very frequent; more than 8-10 times a day.  Loose connection between sites. Don't have to do anything. Tunnel comes up again automatically.

 

Conversationalist

Re: IKEv2 support on MX devices

Hi guys, can somebody please post the settings used at each end to get an Azure VPN up. Just had Meraki enable IKEv2 on an MX84 on the new beta firmware and I’d like to do some testing, many thanks!
Getting noticed

Re: IKEv2 support on MX devices

It is not difficult, you should have already created a GatewaySubnet  from your main Vnet, then you add that to your Virtual Network Gateway 

Create a Local network Gateway with the public IP of your MX.

then you ADD Connection and put in same shared secret on both sides.

the settings on the MX are just the  Public IP IP of your VirtualNetworkGateway and the shared Secret all other settings are hidden.

 

image.pngAzure Add Connection

Conversationalist

Re: IKEv2 support on MX devices

Many thanks for that. After a bit of trial and error the azure vpn came up, as per the above. But we also have a second IPSec tunnel, to a data centre. The first listed tunnel works and the second one doesn’t, if the ordering is changed the same happens, still looking into this though. 

Conversationalist

Re: IKEv2 support on MX devices

Are you actually using IKE v2 for the Client VPN's?

 

We have asked to have IKEv2 enabled and we no longer see aggressive mode which is great but we want to use full IKE v2 so we can rollout our VPNs using Microsoft Intune.

 

Am I missing something here?  


Thank you for any help

Kind of a big deal

Re: IKEv2 support on MX devices

>Are you actually using IKE v2 for the Client VPN's?

 

The support is only for non-Meraki site to site VPNs.

Conversationalist

Re: IKEv2 support on MX devices

Ok the person I talked to at Meraki I support didn't even know this...

 

Is this something that would be relatively easy for them to fix.  I presume this is just GUI related now they are actually supporting IKE v 2 on the system

Kind of a big deal

Re: IKEv2 support on MX devices

@ChrisStewart there are a number of ways they could persue this.

 

You could make it so the system tries to establish an IKEv2 connection and then drops back to IKEv1.  ASA's can do this.  This would involve no GUI changes, but it would break some things so support would have to be able to change it.

 

They could provide an extra "toggle" so it can be set per-non Meraki VPN.

 

One thing I do know - they will be wanting to make it Meraki simple.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.