IPSec Tunnel using "User FQDN" to from Cisco Meraki to Zscaler

Hi All,

We are trying to establish IPSec tunnel to Zscaler from our Meraki device. There are two ways we can do this on Zscaler side:

  1. By whitelisting the public IP of the Meraki and using pre-shared key

  2. Using “User FQDN” e.g. test@domain.com and pre-shared key

We can successfully establish a tunnel using option 1 above, however, since our IP’s are dynamic, they could change at any time, or fail over to 4G backup. So, instead we want to use “user FQDN” option, however, we cannot get session established.

There is an ISP device which sits between the Meraki and the internet, however, I don’t feel like this is causing issues since option 1 above works.

We’ve enagaged Meraki support to enable IKE Agressive Mode + User FQDN via the backend, and it seems to be done, and we’ve tried adding the user FQDN to both the Local ID and Remote ID fields and the session still does not get established.

We can successfully establish the tunnel to Zscaler using User FQDN when testing using Shrewsoft VPN client.

Has anyone gotten “User FQDN” + Zscaler IPSec tunnel working? Or even gotten “User FQDN” working with some other 3rd party VPN?

Hi Steve,

I am not familiar with Meraki, but what I can share, is that you should use the FQDN as the local ID, and leave remote ID as any if you see similar option. Have you also checked and compared the ciphers you are using in Shew VPN and Meraki? Also, phase 2 should have encryption set to null. Finally, you can also confirm if there is any traffic flowing from the client to Zscaler over the tunnel (some products need traffic to trigger the tunnel setup, and Zscaler will never generate traffic to from our side to the customer side).

HTH.

Best Regards,

Jones Leung

Steve,

I have gotten it to work. See below. Reply to my email tharcourt@zscaler.com and I will send you the screen shots.

Regards,

-Todd Harcourt-

(Attachment 4DD7A86E-E0C9-4BAC-A526-24199B015E2A is missing)

Hi guys,

We finally got it to work. It seems there are multiple bugs on Meraki side which we have now discovered.

First bug is that the Meraki dashboard was not updating the FQDN in the backend configuration of the Meraki after we save it. After Meraki support manually added the fqdn to the configuration, the tunnel came up. They’ve acknowledged this is a bug in their dashboard.

The second bug is when we try to configure site to site VPN while client VPN is also active on the Meraki, the site to site VPN is using the preshared key from the client VPN instead! This is another bug they acknowledged.

Will update this post once Meraki support come back with some fixes. Safe to say the issues are sitting on the Meraki side of the fence :slight_smile:

Hey folks,
IHAC with exactly this same scenario. They have Meraki sites with dynamic IPs, and want to use FQDN as a VPN credential instead of Static IP.

Could you please share the latest working config and let me know about any Meraki bug fixes you found?

Thanks

Hi Jaime,

We are still working with Meraki support on this. They currently have not provided any fix/work around.

However, if your customer does NOT use Client VPN within the Meraki, if they disable it, S2S VPN will work, however Meraki support will still need to manually enable the “old” dashboard view.

Manual Steps for Meraki Support:

  1. Enable IPSec aggressive mode (FQDN credential will only work with Aggressive mode)
  2. Enable “old” dashboard. This allows customer to see “User FQDN” field. In new dashboard, user only sees “Local ID” and there is a bug which prevents this from updating the FQDN in the backend configuration on the Meraki.

Again, if customer doesn’t use Client VPN, the above should work and get you going. If they do…stay tuned for updates!

1 Like

Thanks Steve, this is very helpful.

They do not use Client VPN to my knowledge but I will find out for sure.

Hi Steve,

I am a little confused with this FQDN option. I was only familiar with building VPNs using public iP addresses. However, I do need to do it this time using FQDN for the reasons we all know. I see your steps but still don’t understand:

  1. Where do I get that user FQDN from to be configured in the Meraki side? Do I just define one like test@mycompany.com when creating VPN credentials in the Zscaler side?
  2. When do I use the DDNS name for my Meraki MX in the Zscaler portal? or is it ever used in any part of the configuration?
  3. Do i set 0.0.0.0/0 in the private subnet field at the Meraki side?
  4. Do I enter anything in the remote ID field in the Meraki side? or do I just leave that one in blank?

I would appreciate your help in this.

Carlos

Hi Carlos,

My memory is a little rusty but I’ll try my best to answer your questions.

  1. You create this in the Zscaler Admin console. It can be called anything you like.
  2. The dynamic DNS of the meraki is never used
  3. No, but you need to ensure you have routing setup to route 0.0.0.0/0 out of the VPN if it is up
  4. No, remote ID should be left blank. I Beleive it just needs to be the Local ID

Hopefully it helps! If you’re using Meraki’s, you will need Meraki support to help you out, as per one of my comments in this thread. It will never work without them making some backend changes.

Zscaler support should be able to share the Meraki/Zscaler config guide (which I can’t seem to find by googling).

Hi Carlos,

IPSEC tunnels is a hidden feature which is enabled on request.
Regarding the configuration on Meraki MX to Zscaler ZIA, we have a quick article here: Cisco Meraki MX - routing (tunnels) deployment | Cloudi Fi Knowledge Base

Best,
Damien