Meraki

Community

S2S VPN to Umbrella

EduardoML
Comes here often
‎Aug 14 2019 6:14 PM
‎Aug 14 2019 6:14 PM

S2S VPN to Umbrella

Hello,

 

Anybody has succeeded with implementing a Site to site VPN to Umbrella cloud?

I've seen on Umbrella documentation that it is supported but no guidance on either Umbrella or Meraki documentation sites.

 

https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/supported-ipsec-parameters

 

Regards,

Eduardo

0 Kudos
7 Replies 7
NolanHerring
Kind of a big deal
‎Aug 14 2019 9:25 PM
‎Aug 14 2019 9:25 PM

From what I can see, anything regarding that only exists with 15.X beta firmware. The little I can see, its revolving around DNS, not sure about site to site stuff. I'll upgrade my lab MX to see what I can see
Nolan Herring | nolanwifi.com
TwitterLinkedIn
In response to NolanHerring
NolanHerring
Kind of a big deal
‎Aug 14 2019 9:51 PM
‎Aug 14 2019 9:51 PM

Upgraded to 15.15 and the Umbrella integration is all just DNS related. Nothing about site-to-site tunnels etc.

 

Unless I misunderstood your original post?

 

https://documentation.meraki.com/MR/Other_Topics/Integrating_Cisco_Umbrella_with_Meraki_Networks

 

https://docs.umbrella.com/hardware-integrations/docs/meraki-cloud-managed-networks-umbrella-solution...

Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to NolanHerring
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 15 2019 1:09 AM
‎Aug 15 2019 1:09 AM

@NolanHerringAs Umbrella is in the process of implementing a "Secure Internet Gateway" (SIG), it can be used as a "full blown" Proxy / L4 Firewall.

In order to be used as such, customers will have to set up IPSec tunnels to their infrastruture (at least when the firewall part should be used, Proxy could also be handled via PAC files).

 

Haven't played around with it myself on Meraki, will have to see if I can get my hands on SIG access.

0 Kudos
In response to CptnCrnch
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Aug 15 2019 1:19 AM
‎Aug 15 2019 1:19 AM

@EduardoML  I just had a look at this, and it looks like it's not gonna work: first of all, you'll have to create an IPSec Profile for a non-Meraki peer.

 

Having a look at that, it only supports DH-groups up to 5. The documentation provided by Umbrella (https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/supported-ipsec-parameters) requires DH-groups 14, 15 or 19. Strangely enough, the MX I tested was running the latest beta 15.15, so it should be possible to have that in place. Perhaps you'd have to get in touch with Meraki support to have that added to your dashboard.

 

Perhaps you could test it with these settings?2019-08-15_10h18_21.png

0 Kudos
In response to CptnCrnch
Nash
Kind of a big deal
‎Aug 15 2019 5:44 AM
‎Aug 15 2019 5:44 AM

Does 15.x include dashboard UI for IKEv2 now? I thought it was still on the "call support, they'll do the config" stage.

Windows 10 Client VPN scripts: Makes life better!
0 Kudos
In response to Nash
NolanHerring
Kind of a big deal
‎Aug 15 2019 8:16 AM
‎Aug 15 2019 8:16 AM

Most likely then, you have to contact support to have them enable something hidden, or only they can can do it type of thing.
Nolan Herring | nolanwifi.com
TwitterLinkedIn
0 Kudos
In response to CptnCrnch
EduardoML
Comes here often
‎Aug 15 2019 10:27 PM
‎Aug 15 2019 10:27 PM

Hey guys

 

thanks to all for your answers.

 

I reached out to Meraki support.

First of all, they will enable FQDN to be configured on the Non-Meraki VPN peers,  then

 

The recommend custom profile is:

  • Phase 1
    • Encryption AES 256
    • Auth SHA-1
    • DH group 5
    • Lifetime default 28800
  • Phase 2
    • Encryption AES 256
    • Auth SHA-1
    • PFS group Off
    • Lifetime default 28800

After I had the parameters configured, they asked for my confirmation, and I guess then is when they enable the IKEv2 parameters for the specific VPN.

 

Also, another recommendation is to create a test VLAN to be the one available for the VPN as the traffic from this subnet will be sent to the Umbrella CDFW

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.