S2S VPN to Umbrella

EduardoML
Comes here often

S2S VPN to Umbrella

Hello,

 

Anybody has succeeded with implementing a Site to site VPN to Umbrella cloud?

I've seen on Umbrella documentation that it is supported but no guidance on either Umbrella or Meraki documentation sites.

 

https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/supported-ipsec-parameters

 

Regards,

Eduardo

7 REPLIES 7
NolanHerring
Kind of a big deal

From what I can see, anything regarding that only exists with 15.X beta firmware. The little I can see, its revolving around DNS, not sure about site to site stuff. I'll upgrade my lab MX to see what I can see
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Upgraded to 15.15 and the Umbrella integration is all just DNS related. Nothing about site-to-site tunnels etc.

 

Unless I misunderstood your original post?

 

https://documentation.meraki.com/MR/Other_Topics/Integrating_Cisco_Umbrella_with_Meraki_Networks

 

https://docs.umbrella.com/hardware-integrations/docs/meraki-cloud-managed-networks-umbrella-solution...

Nolan Herring | nolanwifi.com
TwitterLinkedIn

@NolanHerringAs Umbrella is in the process of implementing a "Secure Internet Gateway" (SIG), it can be used as a "full blown" Proxy / L4 Firewall.

In order to be used as such, customers will have to set up IPSec tunnels to their infrastruture (at least when the firewall part should be used, Proxy could also be handled via PAC files).

 

Haven't played around with it myself on Meraki, will have to see if I can get my hands on SIG access.

CptnCrnch
Kind of a big deal
Kind of a big deal

@EduardoML  I just had a look at this, and it looks like it's not gonna work: first of all, you'll have to create an IPSec Profile for a non-Meraki peer.

 

Having a look at that, it only supports DH-groups up to 5. The documentation provided by Umbrella (https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/supported-ipsec-parameters) requires DH-groups 14, 15 or 19. Strangely enough, the MX I tested was running the latest beta 15.15, so it should be possible to have that in place. Perhaps you'd have to get in touch with Meraki support to have that added to your dashboard.

 

Perhaps you could test it with these settings?2019-08-15_10h18_21.png

Nash
Kind of a big deal

Does 15.x include dashboard UI for IKEv2 now? I thought it was still on the "call support, they'll do the config" stage.

NolanHerring
Kind of a big deal

Most likely then, you have to contact support to have them enable something hidden, or only they can can do it type of thing.
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Hey guys

 

thanks to all for your answers.

 

I reached out to Meraki support.

First of all, they will enable FQDN to be configured on the Non-Meraki VPN peers,  then

 

The recommend custom profile is:

  • Phase 1
    • Encryption AES 256
    • Auth SHA-1
    • DH group 5
    • Lifetime default 28800
  • Phase 2
    • Encryption AES 256
    • Auth SHA-1
    • PFS group Off
    • Lifetime default 28800

After I had the parameters configured, they asked for my confirmation, and I guess then is when they enable the IKEv2 parameters for the specific VPN.

 

Also, another recommendation is to create a test VLAN to be the one available for the VPN as the traffic from this subnet will be sent to the Umbrella CDFW

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels