MX84 IKEv2 to Fortigate compatibility

Solved
mmistretta
Here to help

MX84 IKEv2 to Fortigate compatibility

Anyone know if the 2 are compatible for IKEv2?

 

According the Meraki

 

NOTE For IKEv2

Meraki Appliances build IPsec tunnels by sending out a request with a single traffic selector that contains all of the expected local and remote subnets. Certain vendors may not support allowing more than one local and remote selector in a given IPsec tunnel

 

Trying to figure out if Fortigate is one of the vendors that doesn't support multiple selectors.

1 Accepted Solution
mmistretta
Here to help

Hi All,

i appreciate everyone's input.

My question was in regards specifically to MX IKEv2 with a Fortigate firewall.

At its most basic config, the tunnel would not come up.

I did find that it is a compatible configuration, however there was a gotcha...  Even though it was a direct connect to internet, on both sides, no NAT devices, absolutely nothing in the middle, it wasn't until after configuring the local and remote IDs, the tunnel came up.

View solution in original post

8 Replies 8
Inderdeep
Kind of a big deal
Kind of a big deal

@mmistretta : yes they are 

https://community.meraki.com/t5/Security-SD-WAN/Meraki-MX-to-Fortigate-IPSEC/td-p/47665

 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
mmistretta
Here to help

Thank you for the reply, but the question is in regards to IKEv2.

Unless i missed it, i do not see mention of IKEv2 in the article.

Inderdeep
Kind of a big deal
Kind of a big deal

@mmistretta : Yes IPsec using IKEv2 and there is IKEv2 support for 3rd Party VPN on 15.12+ onwards and this is enabled via Meraki support

https://community.meraki.com/t5/Security-SD-WAN/IKEv2-support-on-MX-devices/td-p/37709 

Regards/Inder
Cisco IT Blogs awarded in 2020 & 2021
www.thenetworkdna.com
AlexP
Meraki Employee
Meraki Employee

Hello,

 

That information you cited is out of date - IKEv2 is now freely selectable on the site-to-site VPN page without Support involvement

 

GIdenJoe
Kind of a big deal
Kind of a big deal

That's a tough one to answer.  If you're able to test it, I would.

I know a Cisco ASA does not support multiple TS with IKEv2.
So there is always chance that the Fortigate might also have a different way of doing it.

 

I would prefer if Meraki would make VTI- routed based VPN available.

KarstenI
Kind of a big deal
Kind of a big deal


@GIdenJoe wrote:

I know a Cisco ASA does not support multiple TS with IKEv2.

There has to be a different reason if that didn't work somewhere. The ASA supports this and I use it with lots of customers.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
mmistretta
Here to help

Hi All,

i appreciate everyone's input.

My question was in regards specifically to MX IKEv2 with a Fortigate firewall.

At its most basic config, the tunnel would not come up.

I did find that it is a compatible configuration, however there was a gotcha...  Even though it was a direct connect to internet, on both sides, no NAT devices, absolutely nothing in the middle, it wasn't until after configuring the local and remote IDs, the tunnel came up.

rhbirkelund
Kind of a big deal
Kind of a big deal


@mmistretta wrote:

[...] it wasn't until after configuring the local and remote IDs, the tunnel came up.


Which is also a change in behaviour for MX15.42.1 firmware.

From release notes;

rbnielsen_0-1622202063742.png

 

LinkedIn ::: https://blog.rhbirkelund.dk/

Like what you see? - Give a Kudo ## Did it answer your question? - Mark it as a Solution 🙂

All code examples are provided as is. Responsibility for Code execution lies solely your own.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels