Implementing Meraki client VPN atm and all is working fine. Currently in the end stage where I need to deploy the VPN config to the end user laptops running Windows 10. I've tried a few methods but all have their downsides:
- GPO-Network option: not able to deploy IPsec pre shared key or configure split tunnel options.
- CMAK: Even though UserNameSuffix=domain.tld and UserName=%username% are set in config files, the vpn client doesn't use domain credentials by default and user is required to enter them as opposed to GPO-Network option where the connection automatically uses the domain credentials of a logged in user. Also the client wants to dial in through PTSN by default even though Dialup=1, Direct=1, ConnectionType=1 is set in the config files (can be manually fixed to force permanent connection though).
- GPO-Powershell: unable to deploy with required Meraki settings as the script produces the following error:
"The current encryption selection requires EAP or MS-CHAPv2 logon security methods."
Add-VpnConnection -Name "VPN" -ServerAddress "xxx.xxx.xxx.xxx" -TunnelType "L2tp" -EncryptionLevel "Required" -AuthenticationMethod Pap -UseWinlogonCredential -SplitTunneling -AllUserConnection -RememberCredential -PassThru
Ofcourse, I'm able to manually tweak some settings on the user end to make it work but I would to like do it automated since we have a lot of laptops.
Anyone else found a better approach?
Despite the error - the GPO Powershell method does work. It is not possible to change the Powershell command to avoid the error.
I have some more info here:
Lets clear that up straight away.
First of all an IPSec connection is bought up. Everything that goes over this is encrypted. L2TP is run over this IPSec connection.
100% of everything sent is encrypted.
I have downplayed this post and am using CMAK now due to NO Local admin is required as long as you don't use routing table. These Scripts do work but ended up deploying a installer via CMAK.
2 Scripts use GPO to make a Logon Power shell Script first Script launches the second
I found this method will not prompt UAC and it even remembers the Login after the first connection.
initial destination is the client vpn pool the second is how I route traffic back to the On Prem from Azure
powershell -ExecutionPolicy ByPass -File '\\path\to\where\second\script\is\Clientvpn2.ps1'
$ServerAddress = "vpnaddress.mydomain.com"
$ConnectionName = "Meraki Secure Client VPN"
$PresharedKey = "putyoursecrethere"
$Destination = "10.0.2.0/24"
$Destination2 = "172.27.26.0/23"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -DnsSuffix "mydnssuffix.com" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap -Force
Set-VpnConnection -Name "$ConnectionName" -SplitTunneling $True -RememberCredential $True -Force
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination2
We use the powershell method, but just to note that sometimes Windows 10 updates will cause the settings to get reset and you will need to be able to repush and run the script.
Now that I have 3 MX's deployed (Hub Mesh) I have found that using CMAK for a Windows VPN installer seems to work just fine. I don't have to deal with routes and users don't need Administrator access on device to Install.
Users that dial in to client VPN on my main Hub have access to all the other Hubs in the Mesh.
CMAK creates a bunch of files. How do you distribute those to users? Zip them up?
I thought the Same thing but those are just source files for when you build or modify the .exe. so you just distribute the Filename.exe file what I did is put the file on a internal web site and just gave out the URL
URL of web site /vpn.exe file
just need the one file Can customize with company Logos so its not so generic.
I see it is available (CMAK) under "Manage Optional Features" in Windows 10. I think I'll take another look at this tool. Thanks for the tip.
Moving 100 local users from an ASA onto their new Meraki Client VPN connected to their AD...
I want to put this into a login script so when the user logs in the new Meraki Client VPN gets created automatically on lots of computers.
Tell me what you think
$sharedkey = "The PSK here"
$VPNConnectName1 = "Click Here for VPN"
$ServerAddress1 = "Public IP of the MX"
$TunnelType = 'L2tp'
$AuthMethod = @('MSChapv2','Pap')
$EncryptionLevel = 'Required'
$RememberCredential = $true
$SplitTunnel = $true
#Cisco Needs This Registry Entry To Work Properly
$RegistryPath = "HKLM:\System\CurrentControlSet\Services\PolicyAgent"
$RegName = 'AssumeUDPEncapsulationContextOnSendRule'
$Regvalue = 2
New-ItemProperty -Path $RegistryPath -Name $RegName -Value $Regvalue -PropertyType DWORD -Force
#Create VPN Connections
Add-VpnConnection -Name $VPNConnectName1 -ServerAddress $ServerAddress1 -TunnelType $TunnelType -AllUserConnection -AuthenticationMethod $AuthMethod -EncryptionLevel Optional -L2tpPsk $sharedkey -Force
Add-VpnConnection -Name $VPNConnectName2 -ServerAddress $ServerAddress2 -TunnelType $TunnelType -AllUserConnection -AuthenticationMethod $AuthMethod -EncryptionLevel Optional -L2tpPsk $sharedkey -Force
Start-Sleep -Milliseconds 100
#Set Additional Settings
Set-VpnConnection -AllUserConnection -Name $VPNConnectName1 -SplitTunneling $true -RememberCredential $RememberCredential -IdleDisconnectSeconds $IdleDisconnect
Set-VpnConnection -AllUserConnection -Name $VPNConnectName2 -SplitTunneling $SplitTunnel -RememberCredential $RememberCredential -IdleDisconnectSeconds $IdleDisconnect
#Restart computer to load the Cisco Regkey you just updated.
Read-Host -Prompt "Press Enter To Restart Computer"
PowerShell scripts for Windows 10 VPN? Sure, I do it all the time, across hundreds of endpoints now.
My script is a little different from the one in this thread. I modify the rasphone phonebook so the client VPN won't try to use the VPN credentials to access server resources.
I'm gonna go add that reboot reminder to mine now...
My solution for Windows 7 is update your machines to Windows 10 right this second, because a) Windows 7 doesn't have the necessary PowerShell cmdlets, and b) Windows 7 goes end of support on Jan 14, 2020.
so you are specifying a connection2 but you dont list the variable in the script was this intentional ?
I would also recommend you add something to set VPN adapter metric lower than your local adapters. This will help with DNS resolution so that it will always try and resolve through VPN adapter first.
Based on what I see I am guessing this should do it:
(Get-Content -path $PbkPath -Raw) -Replace 'IpInterfaceMetric=0','IpInterfaceMetric=10' | Set-Content -pat $PbkPath
Another recommendation is to set your MX to a non standard subnet than consumer routers. We found issues with this mostly on Mac, when they used client VPN and their home router was in the same subnet as the MX Lan then it default resolved locally. Its not a huge deal, but I would say better safe than sorry.
What @SoCalRacer said. Whenever possible, re-IP your work network so it's not 192.168.0.0/24 or 192.168.1.0/24. Avoids a lot of overlap, including third party tunnels to other people who use these subnets.
I've got a client who is stuck using an ASA solely because their location and Corporate both use 192.168.1.0/24, so they need VPN NAT.