MX to Cisco FTD Site-to-Site Using IKEv2

Solved
outgoingjake
Conversationalist

MX to Cisco FTD Site-to-Site Using IKEv2

Hello All,

 

We are attempting to configure a site-to-site tunnel from our MX250 to a Cisco FTD used by our vendor. We do not want to use IKEv1 but are having difficulty getting both of our subnets to be able to communicate across the tunnel with IKEv2.

 

We currently have the tunnel UP, but only one subnet of the two is able to communicate across. I believe this is due to how the Meraki packages both subnets into one SA when using IKEv2. Does the Cisco FTD support multiple subnets in one SA, or would it require separate SAs for each subnet therefore forcing us to use IKEv1?

 

Any and all help is appreciated.

 

Thank you,

 

Jakob

1 Accepted Solution
Jinbe
Meraki Employee
Meraki Employee

Unfortunately, there are known compatibility issues this presents to certain vendors - strongSwan is the process Meraki devices utilize to build tunnels to non-Meraki devices and for L2TP/IPsec Client VPN - as some that continue to enforce the IKEv1 restriction of a single set of src/dst subnets per SA in their IKEv2 implementations. 

 

Such implementations generally respond to requests to key an IPsec SA by only using a single pair of subnets. When this happens, it blocks any further subnets from participating in the VPN until the SA expires.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

View solution in original post

2 Replies 2
KarstenI
Kind of a big deal
Kind of a big deal

Sadly, your options are either IKEv1 or consolidating your IP networks into one supernet.

 

It's a shame that these two Cisco solutions can only communicate with the help of deprecated technology. At least in regard of extranet VPN functionality, the MX would be the kid that gets regularly scrapped on the schoolyard ...

Jinbe
Meraki Employee
Meraki Employee

Unfortunately, there are known compatibility issues this presents to certain vendors - strongSwan is the process Meraki devices utilize to build tunnels to non-Meraki devices and for L2TP/IPsec Client VPN - as some that continue to enforce the IKEv1 restriction of a single set of src/dst subnets per SA in their IKEv2 implementations. 

 

Such implementations generally respond to requests to key an IPsec SA by only using a single pair of subnets. When this happens, it blocks any further subnets from participating in the VPN until the SA expires.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels