VPN/IPSec Compatibility Meraki MX250 with Mikrotik RB450

Solved
Noffal
Getting noticed

VPN/IPSec Compatibility Meraki MX250 with Mikrotik RB450

Hi,

 

Anybody know or have experience about VPN/IPSec integration between Meraki MX250 with Mikrotik RB450? I have 2 unit Meraki MX250 in DC and would be connect with Mikrotik RB450 in Branch through VPN/IPSec. I am worried whether this is possible?

 

Each response would be very appreciated:)

 

Thank you.

1 Accepted Solution
WD
Here to help

Hi,

Meraki by default uses L2TP with IPsec encryption for Meraki to Meraki VPNs which benefit from the device trust inbuilt from the back end connection to the Meraki cloud. However, for VPN connections to non-Meraki peers utilizes IPsec with IKEv1 for VPNs.

The default IPsec profile settings of the Mikrotik routers will often fail in phase 1 with a "phase1 negotiation failed due to time out".

I have found that these settings need to be customized as below to get the VPN connected:

 

/ip ipsec profile
set [ find default=yes ] lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h pfs-group=none

 

Hope this helps all who have to integrate not only Mikrotik routers but other routers as well. If you need any further help just let me know. Cheers

 

WD

View solution in original post

12 Replies 12
WD
Here to help

Hi,

Meraki by default uses L2TP with IPsec encryption for Meraki to Meraki VPNs which benefit from the device trust inbuilt from the back end connection to the Meraki cloud. However, for VPN connections to non-Meraki peers utilizes IPsec with IKEv1 for VPNs.

The default IPsec profile settings of the Mikrotik routers will often fail in phase 1 with a "phase1 negotiation failed due to time out".

I have found that these settings need to be customized as below to get the VPN connected:

 

/ip ipsec profile
set [ find default=yes ] lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h pfs-group=none

 

Hope this helps all who have to integrate not only Mikrotik routers but other routers as well. If you need any further help just let me know. Cheers

 

WD
Noffal
Getting noticed

Hi,

 

Thanks for your answer, I curious what is non Meraki device which ever have you tried connect through VPN/IPSec?

 

Regards,

WD
Here to help

Have been successful in connecting Cisco (1841, even older 1721 routers), Sophos XG as well as Mikrotik RB850Gx2 and RB450Gx4. Anything that is not built by Meraki and connected to the Meraki cloud basically.

 

Setting up VPN connectivity on devices that do not permit ipsec profile customization on lower end routers such as the DLink DSR 500 or 1000 has failed a lot for me.

 

WD
Noffal
Getting noticed

hi,

 

Sorry I mean VPN/IPSec in this topic is Site-to-Site VPN, is it VPN/IPSec which you configured in Meraki and Non Meraki device was Site-to-Site VPN or Remote access VPN like opinion below?

 

Thanks,

WD
Here to help

I was referring only to setting up of Site-to-Site VPN.

 

Sorry I always assumed AutoVPN (used by Meraki for pushing site-to site VPNs) used L2TP.

WD
CptnCrnch
Kind of a big deal
Kind of a big deal


@WD wrote:

Hi,

Meraki by default uses L2TP with IPsec encryption for Meraki to Meraki VPNs which benefit from the device trust inbuilt from the back end connection to the Meraki cloud. However, for VPN connections to non-Meraki peers utilizes IPsec with IKEv1 for VPNs.

 


L2TP over IPSec is only being used for Remote Access VPN.

Noffal
Getting noticed

hi,

 

I mean VPN in this topic is Site-to-Site VPN, is it treated same?

 

Thanks,

WD
Here to help

Yes this is for site to site VPN

WD
WD
Here to help

Thanks I always assumed AutoVPN (used by Meraki for pushing site-to site VPNs) used L2TP.

WD
CptnCrnch
Kind of a big deal
Kind of a big deal

Noffal
Getting noticed

Hi,

 

Is this configuration below for Mikrotik (Non Meraki) side?

 

/ip ipsec profile
set [ find default=yes ] lifetime=8h
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc lifetime=8h pfs-group=none

 

Thanks,

 

 

WD
Here to help

Yes this is for the Mikrotik side. Meraki only gives you few options that you need the other side to adhere to.

WD
Get notified when there are additional replies to this discussion.