Meraki

mmistretta · ‎May 27 2021

Anyone know if the 2 are compatible for IKEv2?

According the Meraki

NOTE For IKEv2

Meraki Appliances build IPsec tunnels by sending out a request with a single traffic selector that contains all of the expected local and remote subnets. Certain vendors may not support allowing more than one local and remote selector in a given IPsec tunnel

Trying to figure out if Fortigate is one of the vendors that doesn't support multiple selectors.

mmistretta · ‎May 27 2021

Hi All,

i appreciate everyone's input.

My question was in regards specifically to MX IKEv2 with a Fortigate firewall.

At its most basic config, the tunnel would not come up.

I did find that it is a compatible configuration, however there was a gotcha... Even though it was a direct connect to internet, on both sides, no NAT devices, absolutely nothing in the middle, it wasn't until after configuring the local and remote IDs, the tunnel came up.

View solution in original post

Inderdeep · ‎May 27 2021

@mmistretta : yes they are

https://community.meraki.com/t5/Security-SD-WAN/Meraki-MX-to-Fortigate-IPSEC/td-p/47665

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

mmistretta · ‎May 27 2021

Thank you for the reply, but the question is in regards to IKEv2.

Unless i missed it, i do not see mention of IKEv2 in the article.

Inderdeep · ‎May 27 2021

@mmistretta : Yes IPsec using IKEv2 and there is IKEv2 support for 3rd Party VPN on 15.12+ onwards and this is enabled via Meraki support

https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/td-p/37709

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com

AlexP · ‎May 27 2021

Hello,

That information you cited is out of date - IKEv2 is now freely selectable on the site-to-site VPN page without Support involvement

GIdenJoe · ‎May 27 2021

That's a tough one to answer. If you're able to test it, I would.

I know a Cisco ASA does not support multiple TS with IKEv2.
So there is always chance that the Fortigate might also have a different way of doing it.

I would prefer if Meraki would make VTI- routed based VPN available.

KarstenI · ‎May 27 2021

@GIdenJoe wrote:
I know a Cisco ASA does not support multiple TS with IKEv2.

There has to be a different reason if that didn't work somewhere. The ASA supports this and I use it with lots of customers.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

mmistretta · ‎May 27 2021

Hi All,

i appreciate everyone's input.

My question was in regards specifically to MX IKEv2 with a Fortigate firewall.

At its most basic config, the tunnel would not come up.

I did find that it is a compatible configuration, however there was a gotcha... Even though it was a direct connect to internet, on both sides, no NAT devices, absolutely nothing in the middle, it wasn't until after configuring the local and remote IDs, the tunnel came up.

rhbirkelund · ‎May 28 2021

@mmistretta wrote:
[...] it wasn't until after configuring the local and remote IDs, the tunnel came up.

Which is also a change in behaviour for MX15.42.1 firmware.

From release notes;

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.

Meraki

Community

MX84 IKEv2 to Fortigate compatibility

MX84 IKEv2 to Fortigate compatibility

NOTE For IKEv2