Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

      Comments Off on Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

092720 0625 Configuring1 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

092720 0626 Configuring1 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

This document will show you how to step by step to configure Cisco Meraki to azure site to site VPN IPsec tunnel IKEv1.

If the Cisco Meraki Security appliances running firmware less than version 15.12 do not have support for IKEv2. Also, there is a bug at concurrent firmware 14.53 (confirmed by Meraki support engineer), when you build up a VPN non-Meraki peer with Azure, the all auto VPN peers will down and won’t come back on line until you reboot the security appliance. Everything will be fine after reboot it.

Settings at Azure site

Create Azure Virtual network

1.Signin to Azure portal.

2.In Search resources, service, and docs (G+/), type virtual network.

3.Select Virtual Network from the Services results.

092720 0625 Configuring2 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

4.On the Virtual Network page, select Create.

092720 0625 Configuring3 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

5.Once you select Create, the Create virtual network page opens.

6.On the Basics tab, configure Project details and Instance details VNet settings.

When you fill in the fields, you see a green check mark when the characters you enter in the field are validated. Some values are auto filled, which you can replace with your own values:

  • Subscription: Select Pay-As-You-Go.
  • Resource group: Select the existing (Create new) Resource group AZ-DR01.

092720 0625 Configuring4 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

  • Name: Type AZ-DR01-VNet1.
  • Region: Select Canada Central.

7.Click Next: IP Address.

092720 0625 Configuring5 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

8.On the IP Addresses tab, configure the values.

  • IPv4 address space: Type 10.15.0.0/16.

9.Click +Add subnet.

  • Subnet name: type FrontEnd.
  • Subnet address range: 10.15.1.0/24.
  • Services: Keep the default settings (0 selected)

10.Click Add.

092720 0625 Configuring6 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

11.Click Next: Security.

092720 0625 Configuring7 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

12.On the Security tab, at this time, leave the default values:

  • BastionHost: Disable.
  • DDoS Protection Standard: Disable.
  • Firewall: Disable.

13.Click Next: Tags.

092720 0625 Configuring8 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

14.On the Tags tab, leave the default values.

15.Click Next: Review + create.

092720 0625 Configuring9 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

16.After the settings have been validated, select Create.

092720 0625 Configuring10 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

17.Make sure the new VNet deployment is complete without issues, click Go to resource.

092720 0625 Configuring11 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

Create Azure VPN Gateway

1.In Search resources, service, and docs (G+/), type virtual network gateway.

2.Select Virtual network gateway from the Services results.

092720 0625 Configuring12 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

3.On the Basics tab, configure Project details and Instance details and Public IP address for Virtual network gateway settings.

  • Subscription: Select Pay-As-You-Go.
  • Name: Type AZ-DR01-VNet1-GW1.
  • Region: Select Canada Central.
  • Gateway type: Select VPN.
  • VPN type: Select Policy-based.
  • SKU: Select Basic (Bandwidth:100Mbps)
  • Virtual network: Select AZ-DR01-VNet1.
  • Gateway subnet address range: Type 10.15.255.0/27
  • Public IP address: Leave Create new selected.
  • Public IP address name: AZ-DR01-VNet1-GW1-Public-IP
  • Assignment: VPN gateway supports only Dynamic.
  • Enable Active-Active mode: Select Disabled.
  • Configure BGP ASN: Select Disabled.

4.Click Next: Tags.

092720 0625 Configuring13 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

5.On the Tags tab, leave the default values.

6.Click Next: Review + create.

092720 0625 Configuring14 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

7.After the settings have been validated, select Create.

092720 0625 Configuring15 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

8.Make sure the new Virtual network gateway deployment is complete without issues, click Go to resource.

092720 0625 Configuring16 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

Create Azure Local Network Gateway

1.In Search resources, service, and docs (G+/), type virtual network gateway.

2.Select Local network gateway from the Services results.

092720 0625 Configuring17 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

3.Click Create local network gateway.

092720 0625 Configuring18 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

4.On the Create local network gateway page, specify the values for your local network gateway.

  • Name: Type OFFICECalgary.
  • IP address: Type OFFICE-Calgary WAN IP address (208.230.42.114).
  • Address Space: add 192.168.0.0/22 and 172.16.200.0/24 and 172.16.250.0/24
  • Configure BGP settings: Use only when configuring BGP. Otherwise, don’t select this.
  • Subscription: Select Pay-As-You-Go.
  • Resource Group: Select AZ-DR01.
  • Location: Select Canada Central.

5.Click Create.

092720 0625 Configuring19 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

Create VPN connection

1.on the Azure Services page, click the new create Virtual network gateway.

092720 0625 Configuring20 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

2.on the Virtual network gateway page, select Connections.

092720 0625 Configuring21 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

3.On the Connections page, click +Add.

092720 0625 Configuring22 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

4.On the Add connection page, configure the values for your connection.

  • Name: Type AZ-DR01-VNet1toOFFICECalgary
  • Connection type: Select Site-to-site(IPSec).
  • Virtual network gateway: The value is fixed because you are connecting from this gateway.
  • Local network gateway: Click Choose a local network gateway and select the local network gateway that you want to use.

092720 0625 Configuring23 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

  • Click the OFFICECalgary local network gateway.

092720 0625 Configuring24 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

  • Shared Key: Type Azure
  • IKE Protocol: Select IKEv1
  • Resource Group: Select AZ-DR01

5.Click OK.

092720 0625 Configuring25 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

Settings at Meraki site

1.Signin to Cisco Meraki portal.

2.Select Security & SD-WAN, click Site-to-site VPN.

092720 0625 Configuring26 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

3.On the Site-to-site VPN field, select Hub.

4.On the VPN settings field, select the local networks that you want to connect to Azure and then select VPN on.

092720 0625 Configuring27 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

5. On the Organization-wide settings page, click add a peer in the Non-Meraki VPN peers.

092720 0625 Configuring28 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

6.On the Non-Meraki VPN peers, configure details settings.

  • Name: Type ToAzure
  • IKE Version: Select IKEv1
  • IPsec Policies: Click Default and then change Default to Azure

092720 0625 Configuring29 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

092720 0625 Configuring30 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

Click Update.

  • Public IP: Type Azure Virtual Network Gateway Public IP address (53.139.26.221)
  • Private subnets: Type 10.15.0.0/16
  • Preshared secret: Type Azure.
  • Availability: select All Networks.

7.Click Save Changes.

092720 0625 Configuring31 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

Verify the VPN connection

In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the connection.

1.In the Azure portal menu, select All resources or search for and select All resources from any page.

092720 0625 Configuring32 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

2.Select to the virtual network gateway.

092720 0625 Configuring33 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

3.On the blade for the virtual network gateway, click Connections. You can see the status of each connection.

092720 0625 Configuring34 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

In the Meraki portal, you can view the VPN status of a Meraki by navigating to the Non-Meraki peer.

1.Signin Meraki portal.

2.Select Security & SD-WAN, click VPN Status.

092720 0625 Configuring35 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

3.Click Non-Meraki peer.

092720 0625 Configuring36 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

4.Make sure the Status light show green.

092720 0625 Configuring37 - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

ca16fbd3199de5f66b829b87082fb970?s=80&d=retro&r=g - Configuring CISCO MERAKI TO AZURE Site to Site VPN IPsec tunnel IKEv1

Author: Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA
Blog:
http://www.carysun.com http://www.checkyourlogs.net
Twitter:@SifuSun

About Cary Sun

Cary Sun is an Principal Consultant, He has a strong background specializing in datacenter and deployment solutions, and has spent over 20 years in the planning, design, and implementation of network technologies and Management and system integration.He hold CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1997.Cary is also a Microsoft Most Valuable Professional (MVP) and Cisco Champion, He is a published author with serveral titles, include blogs on Checkyourlogs.net, author for many books. Specialties: CCIE /CCNA / MCSE / MCITP / MCTS / MCSA / Solution Expert / CCA Blog: http://www.carysun.com http://www.checkyourlogs.net Twitter:@SifuSun