Networking Fundamentals: IPSec and IKE
Cisco Meraki uses Internet Protocol Security (IPSec) for Site-to-site and Client VPN. IPSec is a framework for securing the IP layer. . IPSec is a framework for securing the IP layer. In this suite, modes and protocols are combined to tailor the security methods to the intended use. Cisco Meraki VPNs use the following mode+protocol for site-to-site VPN communication:
Mode: tunnel
In tunnel mode, the entire IP header and payload are encapsulated. A new packet header is added, and the packet itself can be encrypted—not just the packet data. Tunnel mode allows traffic to pass in its entirety and creates a secure channel for communication between two endpoints.
Protocol: Encapsulated Security Payload (ESP)
ESP is the wire-level protocol designed to secure communication by encrypting the encapsulated data and allows for authentication.
ESP used in tunnel mode allows for encryption of the full packet. To an entity viewing this traffic externally, the only clear-text data in the packets are the new IP header and the ESP header.
IPSec can also be used in transport mode and with the Authentication Header (AH) protocol. Each mode can be used with either protocol. The tunnel mode and ESP combination is used because it best suits a secured VPN connection.
Each side of an IPSec communication needs to share secret values to secure traffic. These keys are used to match encryption and hashing methods. Cisco Meraki devices use two methods to establish these keys.
The primary method Cisco Meraki devices use to establish shared secrets is through the Cisco Meraki cloud infrastructure. All Meraki devices maintain a secured tunnel back to the Cisco Meraki cloud. This allows Cisco Meraki devices to establish all information needed to create an IPSec tunnel through a mutually trusted source. A method known as UDP hole punching is then used to create these VPN tunnels. For more information on how the Meraki MX WAN appliance uses UDP hole punching, refer to the documentation on Automatic NAT Traversal.
Cisco Meraki devices also use the IKE method to negotiate the essential information for IPSec connections. IKE is used for Client VPN and non-Meraki site-to-site VPNs.
IKEv1
Internet Key Exchange (IKE) is the protocol Cisco Meraki uses to establish IPSec connections for Non-Meraki site-to-site and client VPNs. When a VPN endpoint detects traffic that should traverse the VPN, the IKE process starts. IKE is broken down into 2 phases:
Phase 1
The purpose of Phase 1 is to create a secure channel using a diffie-hellman key exchange. This secure channel is then used for further IKE transmissions. Phase 1 is based on the Internet Security Association and Key Management Protocol (ISAKMP) framework.
The Event Log entries in the Event Log figure above typically accompany the IKE process. In a successful exchange, the logs display "ISAKMP-SA established" and information specific to that association.
Phase 1 has two possible modes:
- Main mode: Consists of three exchanges to process and validate the Diffie-Hellman exchange.
- Aggressive mode: Completes the Diffie-Hellman exchange within a single exchange.
Issues with this phase are usually related to public IP addressing, pre-shared keys, or encryption/hash configuration.
Phase 2
Phase 2 uses the secure channel created in Phase 1 to establish IPSec security associations (SAs) and negotiate information needed for the IPSec tunnel. Phase 2 events appear in the image above as "IPsec-SA established." Two Phase 2 events are shown in the Event Log figure above because a separate security association is used for each subnet configured to traverse the VPN.
This phase has only one mode on the Cisco Meraki platform, called quick mode.
Issues with this phase are typically seen when subnets are not matched on each side of the tunnel or permitted encryption/hash settings are mismatched.
Additional resources
For information on troubleshooting Cisco Meraki VPN, refer to the Troubleshooting Client VPN documentation.
For more information on configuring Site-to-Site VPN tunnels: