IKEv2 Support in MX appliances

Winston 5 years ago updated by James 2 years ago 13

Please enable IKEv2 support for multi site dynamic VPN routing with 3rd party appliances.


When is Meraki going to get this done?

We've had many clients that have to buy an ASA just to support IKEv2 tunnels.

Seems like there is a high number of other people that want it too!

Come on Meraki!


Come on ... Some news?

  • Any updates?

Also continuing to wait for this feature. I requested it about a year and a half ago, and still no movement. We have multiple sites and an Azure presence, and we can only connect one network to Azure because the Meraki doesn't support Dynamic Routing. If this continues much longer, we'll just dump our Cisco gear and go with something else.


I'm disappointed that for such an expensive product (comparatively) it still doesn't offer so basic a feature.

Our account manager previously told me, over a year ago, that its 'coming soon' but here we are...still waiting.


Can't believe this isn't supported yet. Really disappointed that a high end solution (cost) would be so far behind. Come on sort it out and give this the priority it should be.


What is the ETA on this feature?  Ridiculous.


Account manager has said they will implement IKEv2 on the Auto VPN but not on the 3rd party VPN which is quite disappointing

FYI, Google Cloud used to allow specifying multiple local and remote subnets in a single IKEv1 tunnel configuration, which is what Meraki does, and you could bring up the tunnel. However, Google later said multiple subnets in an IKEv1 tunnel was against standards and restricted their API to disallow this. Google says only IKEv2 permits this, but Meraki won't support IKEv2, something that's been around for *years*.

So now, Meraki is basically incompatible with Google Cloud VPN because your choices are:

  1. Specify only a single subnet on the Meraki (remote) site and a single subnet on the Google (local) side when creating a VPN tunnel, and setting IKEv1. You can't create additional identical tunnels with additional subnets, because Google will error that you can't have multiple tunnels with the identical VPN Gateway + Peer IP specified. So, you get to live with only routing a single subnet on each side over your VPN tunnel. WTF.
  2. Get a cheap IPSEC VPN router to hang off the side of your Meraki MX to support IKEv2 and point all of your IPSEC VPN tunnels with 3rd parties to this device, and add static routes to your Meraki MX.

Both of these solutions suck. Meraki, you suck. Can you hear a paying customer?

Wow, just re-read this. I must have been pretty annoyed at the time to write "you suck" in such a childish way.

Anyway, we did end up going with option #2 by deploying a couple Ubiquiti EdgeRouters at each site and setting up all of our 3rd party VPN peers to connect via those, then static route the Meraki MX's to route packets destined for our VPN-remote networks to those EdgeRouters. It's definitely an annoying solution because it's more devices to worry about on the network, and sometimes the tunnels go down for inexplicable reasons and we have to reboot the EdgeRouters (that's a different issue in the EdgeRouter/VyOS firmware).

Please please pretty please, add IKEv2 support to the Meraki MX line so we can move the tunnels to GCP back to the Meraki firewalls and eliminate the extra complexity on our network of having separate VPN tunnel devices

I read a tutorial to setup the Meraki to Azure, they even have the preset, and it still has the Invalid Flag 0x08 error. So this is still a thing and Does not work yet?

Any work around that does not require a plethora of equipment

I was getting same thing when I had my Azure VPN gateway VPN Type set to Route-Based(Azure Default). After I recreated it to Policy-based, it started to work fine. 

Would love to see this on Non-Meraki VPN peers!