My company has acquired a few MX Series devices.
Our main office uses a Cisco ASA.
I want to use the MX devices as edge devices for VPN Purposes.
It seems that you can not make a separate PSK with the same Peer IP.
Is there something I am missing. I have only been able to get the ASA and MX to work together in a HUB Fashion.
Can someone point me to an article or a walk through on how to do this with multiple MX devices (that I do not want to VPN to each other). It seems as though this part of the product needs to be matured a little more if you can not do this.
@Dark239 wrote:My company has acquired a few MX Series devices.
Our main office uses a Cisco ASA.
I want to use the MX devices as edge devices for VPN Purposes.
It seems that you can not make a separate PSK with the same Peer IP.
Is there something I am missing. I have only been able to get the ASA and MX to work together in a HUB Fashion.
Can someone point me to an article or a walk through on how to do this with multiple MX devices (that I do not want to VPN to each other). It seems as though this part of the product needs to be matured a little more if you can not do this.
Hi
You may find it simpler and faster to use strongSwan
I appreciate the suggestion.
I am not looking for a different solution yet.
If I were to go with another solution it would be additional Cisco ASA's with Firepower modules.
@Dark239We have limited support for 3rd party VPN so what your trying to accomplish cannot be done. Our AutoVPN technology is seamless VPN setup and we recommend customers using Meraki to Meraki so you can get Hub/Spoke VPN, SDWAN, AMP, Sourcefire, Content Filtering, ThreatGrid integration, Geo Based firewall and now Meraki Intelligence. Your not going to get those features out of an ASA with firepower.
What are you looking for in ASA that the MX doesn't have?
This document walks through building a VPN between an ASA and an MX.
https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Cisco_ASA_Site-to-site_VPN_with_MX_Series
You are correct - a Meraki organisation (as a whole) can only have a single PSK per remote peer. So if you have three Meraki networks, they all have to use the same PSK when talking to the ASA.
Hi @Dark239.
First, lets say it up front - Meraki may not be the right solution for you.
Typically people who use Meraki VPN technology use it for site to site connectivity for their own sites, and as a result use AutoVPN. AutoVPN takes care of the keying and the rotating of those keys.
I only put Meraki forward to my customers when the need to build a VPN to a non-Meraki device is simple (or not needed at all). If their are lots of branches and complex VPN needs then I go for both Meraki and a Cisco router. Something like a Cisco 891F is around $USD600. Cisco routers have (by far) the most powerful site to site VPN capabilities. If the customer has medium complexity site to site VPN and medium complexity user to site VPN needs then I would use an ASA, as the AnyConnect remote access is by far the most powerful remote access solution.
Yes, I would also like IKEv2 support. I don't see any point in the industry continuing to use IKEv1.
I'm confused about your monitoring comments. User moniting in MX is substantially superior than an ASA or Firepower. Make sure you have detailed traffic anaylsyis turned on under "Network-Wide/General".