IPSec Tunnel using "User FQDN" to from Cisco Meraki to Zscaler

Hi All,

We are trying to establish IPSec tunnel to Zscaler from our Meraki device. There are two ways we can do this on Zscaler side:

  1. By whitelisting the public IP of the Meraki and using pre-shared key

  2. Using “User FQDN” e.g. test@domain.com and pre-shared key

We can successfully establish a tunnel using option 1 above, however, since our IP’s are dynamic, they could change at any time, or fail over to 4G backup. So, instead we want to use “user FQDN” option, however, we cannot get session established.

There is an ISP device which sits between the Meraki and the internet, however, I don’t feel like this is causing issues since option 1 above works.

We’ve enagaged Meraki support to enable IKE Agressive Mode + User FQDN via the backend, and it seems to be done, and we’ve tried adding the user FQDN to both the Local ID and Remote ID fields and the session still does not get established.

We can successfully establish the tunnel to Zscaler using User FQDN when testing using Shrewsoft VPN client.

Has anyone gotten “User FQDN” + Zscaler IPSec tunnel working? Or even gotten “User FQDN” working with some other 3rd party VPN?

Hi Steve,

I am not familiar with Meraki, but what I can share, is that you should use the FQDN as the local ID, and leave remote ID as any if you see similar option. Have you also checked and compared the ciphers you are using in Shew VPN and Meraki? Also, phase 2 should have encryption set to null. Finally, you can also confirm if there is any traffic flowing from the client to Zscaler over the tunnel (some products need traffic to trigger the tunnel setup, and Zscaler will never generate traffic to from our side to the customer side).

HTH.

Best Regards,

Jones Leung

Steve,

I have gotten it to work. See below. Reply to my email tharcourt@zscaler.com and I will send you the screen shots.

Regards,

-Todd Harcourt-

(Attachment 4DD7A86E-E0C9-4BAC-A526-24199B015E2A is missing)

Hi guys,

We finally got it to work. It seems there are multiple bugs on Meraki side which we have now discovered.

First bug is that the Meraki dashboard was not updating the FQDN in the backend configuration of the Meraki after we save it. After Meraki support manually added the fqdn to the configuration, the tunnel came up. They’ve acknowledged this is a bug in their dashboard.

The second bug is when we try to configure site to site VPN while client VPN is also active on the Meraki, the site to site VPN is using the preshared key from the client VPN instead! This is another bug they acknowledged.

Will update this post once Meraki support come back with some fixes. Safe to say the issues are sitting on the Meraki side of the fence :slight_smile:

Hey folks,
IHAC with exactly this same scenario. They have Meraki sites with dynamic IPs, and want to use FQDN as a VPN credential instead of Static IP.

Could you please share the latest working config and let me know about any Meraki bug fixes you found?

Thanks

Hi Jaime,

We are still working with Meraki support on this. They currently have not provided any fix/work around.

However, if your customer does NOT use Client VPN within the Meraki, if they disable it, S2S VPN will work, however Meraki support will still need to manually enable the “old” dashboard view.

Manual Steps for Meraki Support:

  1. Enable IPSec aggressive mode (FQDN credential will only work with Aggressive mode)
  2. Enable “old” dashboard. This allows customer to see “User FQDN” field. In new dashboard, user only sees “Local ID” and there is a bug which prevents this from updating the FQDN in the backend configuration on the Meraki.

Again, if customer doesn’t use Client VPN, the above should work and get you going. If they do…stay tuned for updates!

Thanks Steve, this is very helpful.

They do not use Client VPN to my knowledge but I will find out for sure.