cancel
Showing results for 
Search instead for 
Did you mean: 

Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Just browsing

Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Hi,

 

Implementing Meraki client VPN atm and all is working fine. Currently in the end stage where I need to deploy the VPN config to the end user laptops running Windows 10. I've tried a few methods but all have their downsides:

- GPO-Network option: not able to deploy IPsec pre shared key or configure split tunnel options.

- CMAK: Even though UserNameSuffix=domain.tld and UserName=%username% are set in config files, the vpn client doesn't use domain credentials by default and user is required to enter them as opposed to GPO-Network option where the connection automatically uses the domain credentials of a logged in user. Also the client wants to dial in through PTSN by default even though Dialup=1, Direct=1, ConnectionType=1 is set in the config files (can be manually fixed to force permanent connection though).

- GPO-Powershell: unable to deploy with required Meraki settings as the script produces the following error:

"The current encryption selection requires EAP or MS-CHAPv2 logon security methods."

Script:

Add-VpnConnection -Name "VPN" -ServerAddress "xxx.xxx.xxx.xxx" -TunnelType "L2tp" -EncryptionLevel "Required" -AuthenticationMethod Pap -UseWinlogonCredential -SplitTunneling -AllUserConnection -RememberCredential -PassThru

Ofcourse, I'm able to manually tweak some settings on the user end to make it work but I would to like do it automated since we have a lot of laptops.

Anyone else found a better approach?

9 REPLIES 9
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Despite the error - the GPO Powershell method does work.  It is not possible to change the Powershell command to avoid the error.

 

I have some more info here:

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

Just browsing

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

"-EncryptionLevel Optional" Company policy wise that's not an option for us and also not in line with what Meraki tells us to configure (Require encryption).
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Lets clear that up straight away.

 

First of all an IPSec connection is bought up.  Everything that goes over this is encrypted.  L2TP is run over this IPSec connection.

 

100% of everything sent is encrypted.

Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

I have downplayed this post and am using CMAK now due to NO Local admin is required as long as you don't use routing table.  These Scripts do work but ended up deploying a installer via CMAK.

 

2 Scripts use GPO to make a Logon Power shell Script first Script launches the second

I found this method will not prompt UAC and it even remembers the Login after the first connection.

initial destination is the client vpn pool the second is how I route traffic back to the On Prem from Azure

 

 

Clientvpn1.ps1

_

powershell -ExecutionPolicy ByPass -File '\\path\to\where\second\script\is\Clientvpn2.ps1'

_

Clientvpn2.ps1

 

$ServerAddress = "vpnaddress.mydomain.com"
$ConnectionName = "Meraki Secure Client VPN"
$PresharedKey = "putyoursecrethere"
$Destination = "10.0.2.0/24"
$Destination2 = "172.27.26.0/23"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -DnsSuffix "mydnssuffix.com" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap -Force
Set-VpnConnection -Name "$ConnectionName" -SplitTunneling $True -RememberCredential $True -Force
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination2

Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

We use the powershell method, but just to note that sometimes Windows 10 updates will cause the settings to get reset and you will need to be able to repush and run the script.

Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Now that I have 3 MX's deployed (Hub Mesh) I have found that using CMAK for a Windows VPN installer seems to work just fine.  I don't have to deal with routes and users don't need Administrator access on device to Install.

Users that dial in to client VPN on my main Hub have access to all the other Hubs in the Mesh.

 

Highlighted
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

CMAK creates a bunch of files.  How do you distribute those to users?  Zip them up?

Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

I thought the Same thing but those are just source files for when you build or modify the .exe.   so you just distribute the Filename.exe file what I did is put the file on a internal web site and just gave out the URL

URL of web site /vpn.exe file

 

just need the one file Can customize with company Logos so its not so generic.

VPNEXE Installer.JPG

Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

I see it is available (CMAK) under "Manage Optional Features" in Windows 10.  I think I'll take another look at this tool.  Thanks for the tip.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.