Mobile L2TP VPN tunnel

SOLVED
JJ_7777
Conversationalist

Mobile L2TP VPN tunnel

Hi all,

 

Complete newb to Meraki and VPN, sorry if this has been asked or a silly question.

 

Sometime ago iOS stopped supporting SHA1 authentication on LT2P client VPN connections.  I need to use my iPhone to connect to provide basic remote support on the go with my phone.

 

We have a MX device running site to site in hub formation.  The IKE setup on non-peer meraki is set for SHA256 for encryption but SHA1 for authentication.  If we change authentication to SHA256, will this affect any of the existing site to site VPN connections?  Does anything need to be changed at our DC because of this change?

 

Do you need any other info?  Am I missing anything else here to make this clear?  

 

Thank you for your help.

1 ACCEPTED SOLUTION
alemabrahao
Kind of a big deal
Kind of a big deal

One more consideration, this is the standard for L2TP, so there's nothing that can be changed on Meraki's side.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

13 REPLIES 13
alemabrahao
Kind of a big deal
Kind of a big deal

Site to site VPN configuration has nothing to do with VPN Client configuration.

They are totally different things.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks but I don’t see IPSec settings in the client VPN.  Where do I find this setting?  Could you elaborate or provide a link for what I need?

alemabrahao
Kind of a big deal
Kind of a big deal

Unfortunately it's not possible change this configuration.

 

Client VPN uses 3DES encryption with SHA1 hashing algorithms for Phase1, and AES128/3DES encryption with SHA1 hashing algorithms for Phase2. As a best practice, the shared secret, or pre-shared key, should not contain special characters at the beginning or end.

 

Client VPN connections can only be established on the primary uplink.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Have you considered using on Anyconnect?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks for the explanation.

 

so the settings phase 1 and phase 2 is not applicable for client vpn connections?  I thought I could change Authentication value to sha256 instead of sha1.

 

a new radius server is outside of my job scope and budgetary means at the moment.  So anyconnect won’t be an immediate solution at this time.

 

thanks for the insight and suggestion.

alemabrahao
Kind of a big deal
Kind of a big deal

One more consideration, this is the standard for L2TP, so there's nothing that can be changed on Meraki's side.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

As @alemabrahao says, AnyConnect would be the best solution all around.

 

However you can open a case with support and request they change the client VPN IPSec parameters.  Note that every client that connects also has to be updated to use the same settings (or they will break).  Changing these settings makes them in-compatible with existing client connections.

 

If your iPhone supports it, you could try asking support to change it to:
AES128-CBC+SHA256+DH Group 14

@PhilipDAth , I'm not sure about that, because it's a L2TP standard.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

If you use my client VPN wizard:

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

and tick "PCI compliant" - it does exactly this.  It builds the Windows client VPN with stronger crypto, and you have to raise a support ticket to get the L2TP settings on the Meraki end changed.

 

Done it many times to allow companies to get a more PCI-compliant VPN solution.

That's exactly the point, about support making any changes, as far as I remember I don't remember hearing about support making these changes.

 

I'm curious and a little skeptical about this.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Thanks Philip.  I’m am bit concerned about your comment about affecting existing clients.  Will it affect clients computers?  You mean this should be done after hours?  Do we have to fix existing windows configurations?

 

I might suggest anyconnect using meraki cloud as radius server.  It’s more for our IT team to be able to support end users after hours.  Won’t be a company wide deployment.

PhilipDAth
Kind of a big deal
Kind of a big deal

It only affects existing "client VPN" users - no other users will be affected.

 

If someone is using client VPN on Windows, and you get the setting changed to make it work on your iPhone - then the existing connections on Windows must be changed to match the new crypto connections or their client VPN will no longer work.

Thanks so much.  Will ask if we can test this on our UAT site but this sounds promising.  Your instructions are clear and helpful.  Will run this by colleague and plan/schedule/test the change.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.