Meraki

Community

VPN/IPSec Compatibility Meraki MX250 with Mikrotik RB450

Solved
Noffal
Getting noticed
‎Jun 9 2020 9:08 PM
‎Jun 9 2020 9:08 PM

VPN/IPSec Compatibility Meraki MX250 with Mikrotik RB450

Hi,

 

Anybody know or have experience about VPN/IPSec integration between Meraki MX250 with Mikrotik RB450? I have 2 unit Meraki MX250 in DC and would be connect with Mikrotik RB450 in Branch through VPN/IPSec. I am worried whether this is possible?

 

Each response would be very appreciated:)

 

Thank you.

0 Kudos
1 Accepted Solution
WD
Here to help
‎Jun 9 2020 11:22 PM
‎Jun 9 2020 11:22 PM

Hi,

Meraki by default uses L2TP with IPsec encryption for Meraki to Meraki VPNs which benefit from the device trust inbuilt from the back end connection to the Meraki cloud. However, for VPN connections to non-Meraki peers utilizes IPsec with IKEv1 for VPNs.

The default IPsec profile settings of the Mikrotik routers will often fail in phase 1 with a "phase1 negotiation failed due to time out".

I have found that these settings need to be customized as below to get the VPN connected:

 

/ip ipsec profile
set [ find default=yes ] lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h pfs-group=none

 

Hope this helps all who have to integrate not only Mikrotik routers but other routers as well. If you need any further help just let me know. Cheers

 

WD

View solution in original post

12 Replies 12
WD
Here to help
‎Jun 9 2020 11:22 PM
‎Jun 9 2020 11:22 PM

Hi,

Meraki by default uses L2TP with IPsec encryption for Meraki to Meraki VPNs which benefit from the device trust inbuilt from the back end connection to the Meraki cloud. However, for VPN connections to non-Meraki peers utilizes IPsec with IKEv1 for VPNs.

The default IPsec profile settings of the Mikrotik routers will often fail in phase 1 with a "phase1 negotiation failed due to time out".

I have found that these settings need to be customized as below to get the VPN connected:

 

/ip ipsec profile
set [ find default=yes ] lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h pfs-group=none

 

Hope this helps all who have to integrate not only Mikrotik routers but other routers as well. If you need any further help just let me know. Cheers

 

WD
In response to WD
Noffal
Getting noticed
‎Jun 10 2020 1:18 AM
‎Jun 10 2020 1:18 AM

Hi,

 

Thanks for your answer, I curious what is non Meraki device which ever have you tried connect through VPN/IPSec?

 

Regards,

0 Kudos
In response to Noffal
WD
Here to help
‎Jun 10 2020 1:39 AM
‎Jun 10 2020 1:39 AM

Have been successful in connecting Cisco (1841, even older 1721 routers), Sophos XG as well as Mikrotik RB850Gx2 and RB450Gx4. Anything that is not built by Meraki and connected to the Meraki cloud basically.

 

Setting up VPN connectivity on devices that do not permit ipsec profile customization on lower end routers such as the DLink DSR 500 or 1000 has failed a lot for me.

 

WD
In response to WD
Noffal
Getting noticed
‎Jun 10 2020 3:55 AM
‎Jun 10 2020 3:55 AM

hi,

 

Sorry I mean VPN/IPSec in this topic is Site-to-Site VPN, is it VPN/IPSec which you configured in Meraki and Non Meraki device was Site-to-Site VPN or Remote access VPN like opinion below?

 

Thanks,

0 Kudos
In response to Noffal
WD
Here to help
‎Jun 10 2020 4:53 AM
‎Jun 10 2020 4:53 AM

I was referring only to setting up of Site-to-Site VPN.

 

Sorry I always assumed AutoVPN (used by Meraki for pushing site-to site VPNs) used L2TP.

WD
In response to WD
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jun 10 2020 1:22 AM
‎Jun 10 2020 1:22 AM

@WD wrote:

Hi,

Meraki by default uses L2TP with IPsec encryption for Meraki to Meraki VPNs which benefit from the device trust inbuilt from the back end connection to the Meraki cloud. However, for VPN connections to non-Meraki peers utilizes IPsec with IKEv1 for VPNs.

 

L2TP over IPSec is only being used for Remote Access VPN.

In response to CptnCrnch
Noffal
Getting noticed
‎Jun 10 2020 3:51 AM
‎Jun 10 2020 3:51 AM

hi,

 

I mean VPN in this topic is Site-to-Site VPN, is it treated same?

 

Thanks,

0 Kudos
In response to Noffal
WD
Here to help
‎Jun 11 2020 5:13 AM
‎Jun 11 2020 5:13 AM

Yes this is for site to site VPN

WD
In response to CptnCrnch
WD
Here to help
‎Jun 10 2020 4:53 AM
‎Jun 10 2020 4:53 AM

Thanks I always assumed AutoVPN (used by Meraki for pushing site-to site VPNs) used L2TP.

WD
In response to WD
CptnCrnch
Kind of a big deal
Kind of a big deal
‎Jun 10 2020 5:41 AM
‎Jun 10 2020 5:41 AM

If you're interested, you'll find more information here: https://meraki.cisco.com/lib/pdf/meraki_whitepaper_autovpn.pdf

 

Even more so: https://meraki.cisco.com/blog/2018/06/all-about-autovpn/

In response to WD
Noffal
Getting noticed
‎Jun 10 2020 6:24 AM
‎Jun 10 2020 6:24 AM

Hi,

 

Is this configuration below for Mikrotik (Non Meraki) side?

 

/ip ipsec profile
set [ find default=yes ] lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h pfs-group=none

 

Thanks,

 

 

0 Kudos
In response to Noffal
WD
Here to help
‎Jun 10 2020 7:06 PM
‎Jun 10 2020 7:06 PM

Yes this is for the Mikrotik side. Meraki only gives you few options that you need the other side to adhere to.

WD
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.