Issues with non-Meraki VPN and Z1 to Azure

RonnieRetsmarAt
Comes here often

Issues with non-Meraki VPN and Z1 to Azure

Have a customer setup with a mix of MX/Z1.

All tunnels have status green and since we have Z1 we use IKEver1.

 

We can reach clients from Azure on the local sites running MX but not on the sites running Z1.

 

Have anyone had the same issues or am I missing out on something.

 

 

RonnieRetsmarAtea
12 REPLIES 12
Inderdeep
Kind of a big deal
Kind of a big deal

Check if it helps

https://documentation.meraki.com/MX/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Pee... 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
PhilipDAth
Kind of a big deal
Kind of a big deal

Are the working and non-working sites running the same firmware?

Do the working and non-working sites all have static IP addresses?

Do the working and non-working sites have the public IP directly on the MX/Z or are they sitting behind something else doing NAT?

The working sites run MX64 and firmware 15.43

The non-working sites run Z1 and firmware 14.56

All the Public IP are directly on MX/Z1

RonnieRetsmarAtea

Are you able to upgrade the Z1s to 15.x so they are the same as the working sites?

The Z1s don´t support 15.x

RonnieRetsmarAtea

I suspect the cheapest fix will be to get the VMX-S.  If the number of Z1s is not large you could also consider upgrading them to Z3s.

Another option that would work would be to deploy StrongSwan on Ubuntu, and terminate the Z1 VPNs on that instead.  We have used StrongSwan a lot and it's great.

https://www.ifm.net.nz/cookbooks/meraki-vpn-to-azure.html 

 

> We have used StrongSwan a lot and it's great

As of MX 15, so are we, and I can confirm it's far easier to work with than what we dealt with in the past 😁

Skärmavbild 2022-02-01 kl. 08.07.22.png

RonnieRetsmarAtea
PhilipDAth
Kind of a big deal
Kind of a big deal

ps. If you get the VMX-S all your problems will go away ...

https://meraki.cisco.com/product/security-sd-wan/virtual-appliances/vmx-small/ 

RonnieRetsmarAt
Comes here often

So, both my MX64 and Z1 is using the same vpn-tunnel to Azure.

MX64 is on 15.x and the Z1 on 14.x

 

On my Z1s I get the following error in the event log:

msg: exchange Identity Protection not allowed in any applicable rmconf.

 

Will I get this working or do I have to look at another solution ?

 

See picture for my settings on the TunnelSkärmavbild 2022-02-01 kl. 08.07.22.png

RonnieRetsmarAtea

"Identity protection" refers to IKEv1 Main Mode; I'm not sure if Azure still allows for IKEv1, but it sounds like it might be expecting IKEv2

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels