Solved: Meraki to ASA VPN using IKEv2

CSCO12348032 · ‎07-04-2024

I have a problem with a VPN between a Meraki MZ and a Cisco ASA when using IKEv2

The tunnel connects, but there is only one child sa so the tunnel wont entertain passing traffic for the other subnets that should be going over the tunnel.

I found this on a search, does anybody know what version (if any) that this is fixed in ?

The MX expects to negotiate all the subnets to use in one go, in the initial SA. The ASA expects to negotiate a single subnet in the initial SA, and then negotiate each additional subnet combination in a new SA.

Both methods are correct but incompatible.

I have heard the ASA in later software releases also implemented the MX method

MHM Cisco World · ‎07-04-2024

I think it bug and to solve issue you need to use IKEv1 instead of IKEv2

MHM

View solution in original post

MHM Cisco World · ‎07-04-2024

I think it bug and to solve issue you need to use IKEv1 instead of IKEv2

MHM

jelloyd · ‎07-08-2024

This is limitation on the Meraki side. This is mentioned in their official documentation:

"Unlike IKEv1, Meraki's IKEv2 implementation - by design - only allows for a single pair of IPsec security associations between an MX or Z3 device and a given 3rd-party firewall, or a Meraki device in a separate Dashboard Organization."

https://documentation.meraki.com/MX/Site-to-site_VPN/IKEv1_and_IKEv2_for_non-Meraki_VPN_Peers_Compared

And yes, you will need to use IKEv1, where is is not a limitation.