Hello,
Anybody has succeeded with implementing a Site to site VPN to Umbrella cloud?
I've seen on Umbrella documentation that it is supported but no guidance on either Umbrella or Meraki documentation sites.
https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/supported-ipsec-parameters
Regards,
Eduardo
Upgraded to 15.15 and the Umbrella integration is all just DNS related. Nothing about site-to-site tunnels etc.
Unless I misunderstood your original post?
https://documentation.meraki.com/MR/Other_Topics/Integrating_Cisco_Umbrella_with_Meraki_Networks
@NolanHerringAs Umbrella is in the process of implementing a "Secure Internet Gateway" (SIG), it can be used as a "full blown" Proxy / L4 Firewall.
In order to be used as such, customers will have to set up IPSec tunnels to their infrastruture (at least when the firewall part should be used, Proxy could also be handled via PAC files).
Haven't played around with it myself on Meraki, will have to see if I can get my hands on SIG access.
@EduardoML I just had a look at this, and it looks like it's not gonna work: first of all, you'll have to create an IPSec Profile for a non-Meraki peer.
Having a look at that, it only supports DH-groups up to 5. The documentation provided by Umbrella (https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/supported-ipsec-parameters) requires DH-groups 14, 15 or 19. Strangely enough, the MX I tested was running the latest beta 15.15, so it should be possible to have that in place. Perhaps you'd have to get in touch with Meraki support to have that added to your dashboard.
Perhaps you could test it with these settings?
Does 15.x include dashboard UI for IKEv2 now? I thought it was still on the "call support, they'll do the config" stage.
Hey guys
thanks to all for your answers.
I reached out to Meraki support.
First of all, they will enable FQDN to be configured on the Non-Meraki VPN peers, then
The recommend custom profile is:
After I had the parameters configured, they asked for my confirmation, and I guess then is when they enable the IKEv2 parameters for the specific VPN.
Also, another recommendation is to create a test VLAN to be the one available for the VPN as the traffic from this subnet will be sent to the Umbrella CDFW