0

I want to set up various infrastructure in MS Azure that will then be available to multiple locations that are equipped with Cisco Meraki MX Security Appliances. Unfortunately, the MXs don't yet support route based VPNs, and Azure only supports multiple site to site networks when using route based VPN. I think similar challenges may exist with AWS and other cloud service providers.

I think I may be able to work around this limitation using a virtual firewall, such as Cisco ASAv, but I haven't been able to find any documentation or marketing material that makes it clear this is suitable. I know I have done hub/spoke VPN with physical ASAs in the past, but I have no experience with ASAv.

Has anyone got any experience doing cloud provider hub with ASAv (or any other virtual firewall) and branch office spoke using firewalls that don't support IKEv2 or route based VPNs, such as Meraki MX, Cisco ASA etc?

dunxd
  • 9,482
  • 21
  • 80
  • 117
  • Not exactly what you are asking about, but I recently assisted a business in connecting their Meraki-based office network to Azure, using a small pfsense box to perform routing and IPSec. It's working great for them...something for you to consider. You may be able to even get away with running pfsense in a VM, depending on your requirements and available resources. – EEAA Aug 17 '16 at 23:29
  • 1
    not an answer, but would the CSR be the right fit here? https://azure.microsoft.com/en-us/marketplace/partners/cisco/cisco-csr-basic-templatecsr-azure-byol-two-nic/ – CtrlDot Aug 19 '16 at 01:33

2 Answers2

2

As mentioned above, we were able to accomplish this by standing up a Cisco CSR in Azure. We have 50 MX60W's and a few MX100 all connecting into the Azure CSR which then allows a direct connection to our Azure virtual servers.

Of course the best solution would be standing up a virtual MX in Azure. Our Meraki sales rep keeps promising that this is coming but no news yet. He mentioned recently that they are in beta with a virtual MX in AWS. With all focus on setting up cloud-based hosting environments (i.e., Azure, AWS), I think Meraki is missing out on how many companies want to connect all of their locations seamlessly.

Pat Beautz
  • 36
  • 2
  • I'm getting a CSR 1000v under try and buy, and hopefully will get adequate support from Cisco. I haven't found info clear enough for me to get MX taking to one yet. Do you need fixed public IP on each MX and no NAT in between? vMX for AWS is out now. Hope to replace CSR 1000v with vMX for Azure in a year's time, for auto-VPN and analytics etc. – dunxd Jun 04 '17 at 17:54
2

You'll need a static IP on the CSR, but can use the Meraki dynamic DNS names. The Meraki VPN is setup in the Organization wide VPN section, and distributed to the MXs based on tags. The Phase 1 and 2 and pre-shared key all have to match exactly on both sides.

Phase 1: Encryption AES256, Authentication SHA1, DH group 5, Lifetime 28800

Phase 2: Encryption AES256, Authentication SHA1, PFS off, Lifetime 28800

CSR example lines:

crypto isakmp policy 10 

 encr aes 256

 hash sha

 authentication pre-share 

 group 5

crypto isakmp key *shared-key* address 0.0.0.0  <- all zeroes means allow connections from anything

crypto ipsec transform-set T1 esp-AES 256 esp-SHA-hmac

 mode tunnel <- implicit if not specified?

crypto map MERAKIMAP 100 ipsec-isakmp

 description -something informative-

 set peer -MX-dynamicName.dynamic-m.com- dynamic 

 set transform-set T1

 match address 100

interface GigabitEthernet1

 crypto map MERAKIMAP

access-list 100 permit ip 10.10.103.0 0.0.0.255 10.10.164.0 0.0.0.255
dunxd
  • 9,482
  • 21
  • 80
  • 117
Glade Creek
  • 21
  • 1
  • Thanks. Great to know it can use the dynamic DNS names at the MX end and amazing to see a sample config - why can't Meraki or Cisco provide this information up front? – dunxd Jun 05 '17 at 21:18
  • Trying to implement this now - can you clarify if in your example whether the access list ip addresses are 10.10.103.0 = Meraki devices subnets and 10.10.165.0 = Azure subnets? – dunxd Jul 08 '17 at 21:04
  • Also, for multiple Meraki sites, do you create a separate accces-list for each? – dunxd Jul 08 '17 at 21:12