Meraki

Community

MX to FTD using IKEv2

Doopzzy
Conversationalist
‎Oct 13 2025 9:24 AM
‎Oct 13 2025 9:24 AM

MX to FTD using IKEv2

Hello,

 

I know there were reported incompatibility issues with the using IKEv2 when it comes to establishing a S2S with a MX & FTD. The best option being recommended was using IKEv1 as of about a year ago. 

 

Recently I have been having issues with SA's not rekeying while using IKEv1 and am considering switching to IKEv2 due to the cleaner CHILD SA process. Is there any word on if there is still an issue using IKEv2 between a MX67W and FTD on S2S tunnels?

0 Kudos
11 Replies 11
DarrenOC
Kind of a big deal
Kind of a big deal
‎Oct 13 2025 9:44 AM
‎Oct 13 2025 9:44 AM

I take it you’re referring to this little issue:

 

https://community.meraki.com/t5/Security-SD-WAN/MX-to-Cisco-FTD-Site-to-Site-Using-IKEv2/m-p/245108#...

 

I’ve not seen anything of note recently but I’m sure @RaphaelL  may know?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
Doopzzy
Conversationalist
‎Oct 13 2025 9:50 AM
‎Oct 13 2025 9:50 AM

That is correct, any insight or update would be helpful.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 13 2025 12:50 PM
‎Oct 13 2025 12:50 PM

It can't handle multiple subnets.  Could you change it to be a single pair of subnets (perhaps using a supernet on the FTD side)?

0 Kudos
In response to PhilipDAth
Doopzzy
Conversationalist
‎Oct 14 2025 5:46 AM
‎Oct 14 2025 5:46 AM

We could maybe look at that but I know we like split tunneling the traffic.

 

When you say it can't handle multiple subnets you mean IKEv2 between a MX and FTD will only work if using one subnet prefix correct?

0 Kudos
AlexP
Meraki Employee
Meraki Employee
‎Oct 21 2025 12:15 PM
‎Oct 21 2025 12:15 PM

Static crypto maps are really something most of the industry as a whole has either already, or is moving away from anyway, so if you want to use IKEv2, you can enable a health check or eBGP to form a routed tunnel instead.

0 Kudos
In response to AlexP
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Oct 22 2025 11:28 AM
‎Oct 22 2025 11:28 AM

And please start supporting outbound filtering on that BGP session and/or static routing 😜

0 Kudos
In response to GIdenJoe
AlexP
Meraki Employee
Meraki Employee
‎Oct 22 2025 2:19 PM
‎Oct 22 2025 2:19 PM

We do support static routing! That's part of what enabling health checks does.

0 Kudos
In response to AlexP
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 22 2025 3:02 PM
‎Oct 22 2025 3:02 PM

Is this *really* a static route over a VTI, or is this just manipulating a policy map?

In response to PhilipDAth
AlexP
Meraki Employee
Meraki Employee
a month ago
a month ago

An equivalent to a VTI - internally they're mapped to an ip xfrm interface

In response to AlexP
PhilipDAth
Kind of a big deal
Kind of a big deal
a month ago
a month ago

That is interesting.  I would not have expected a health check to change the underlying mechanism of how the VPN is built.

 

Is it possible to create a "null" health check that always just returns "true"?

0 Kudos
In response to AlexP
GIdenJoe
Kind of a big deal
Kind of a big deal
a month ago
a month ago

Isn't Meraki supposed to be simple?
There is nothing obvious about those health checks automatically making routes and having your traffic selectors set to 0.0.0.0 0.0.0.0.
Just give us the option to make the VPN route based explicitly.
I see when you choose BGP you can have those fields where you set the tunnel IP's, why take it away when doing static?

As said before the whole IPsec VPN configuration must be overhauled from the ground up.
It is difficult that you can't choose source subnets per VPN.  That you can't only NAT for one tunnel.  That you can't filter BGP incoming and outgoing entries and that you can't have inbound VPN firewall rules.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.