cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

mmzzaq
Here to help

Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Hi,

 

Implementing Meraki client VPN atm and all is working fine. Currently in the end stage where I need to deploy the VPN config to the end user laptops running Windows 10. I've tried a few methods but all have their downsides:

- GPO-Network option: not able to deploy IPsec pre shared key or configure split tunnel options.

- CMAK: Even though UserNameSuffix=domain.tld and UserName=%username% are set in config files, the vpn client doesn't use domain credentials by default and user is required to enter them as opposed to GPO-Network option where the connection automatically uses the domain credentials of a logged in user. Also the client wants to dial in through PTSN by default even though Dialup=1, Direct=1, ConnectionType=1 is set in the config files (can be manually fixed to force permanent connection though).

- GPO-Powershell: unable to deploy with required Meraki settings as the script produces the following error:

"The current encryption selection requires EAP or MS-CHAPv2 logon security methods."

Script:

Add-VpnConnection -Name "VPN" -ServerAddress "xxx.xxx.xxx.xxx" -TunnelType "L2tp" -EncryptionLevel "Required" -AuthenticationMethod Pap -UseWinlogonCredential -SplitTunneling -AllUserConnection -RememberCredential -PassThru

Ofcourse, I'm able to manually tweak some settings on the user end to make it work but I would to like do it automated since we have a lot of laptops.

Anyone else found a better approach?

22 REPLIES 22
PhilipDAth
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Despite the error - the GPO Powershell method does work.  It is not possible to change the Powershell command to avoid the error.

 

I have some more info here:

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

mmzzaq
Here to help

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

"-EncryptionLevel Optional" Company policy wise that's not an option for us and also not in line with what Meraki tells us to configure (Require encryption).
PhilipDAth
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Lets clear that up straight away.

 

First of all an IPSec connection is bought up.  Everything that goes over this is encrypted.  L2TP is run over this IPSec connection.

 

100% of everything sent is encrypted.

Dudleydogg
Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

I have downplayed this post and am using CMAK now due to NO Local admin is required as long as you don't use routing table.  These Scripts do work but ended up deploying a installer via CMAK.

 

2 Scripts use GPO to make a Logon Power shell Script first Script launches the second

I found this method will not prompt UAC and it even remembers the Login after the first connection.

initial destination is the client vpn pool the second is how I route traffic back to the On Prem from Azure

 

 

Clientvpn1.ps1

_

powershell -ExecutionPolicy ByPass -File '\\path\to\where\second\script\is\Clientvpn2.ps1'

_

Clientvpn2.ps1

 

$ServerAddress = "vpnaddress.mydomain.com"
$ConnectionName = "Meraki Secure Client VPN"
$PresharedKey = "putyoursecrethere"
$Destination = "10.0.2.0/24"
$Destination2 = "172.27.26.0/23"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -DnsSuffix "mydnssuffix.com" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap -Force
Set-VpnConnection -Name "$ConnectionName" -SplitTunneling $True -RememberCredential $True -Force
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination2

SoCalRacer
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

We use the powershell method, but just to note that sometimes Windows 10 updates will cause the settings to get reset and you will need to be able to repush and run the script.

Dudleydogg
Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Now that I have 3 MX's deployed (Hub Mesh) I have found that using CMAK for a Windows VPN installer seems to work just fine.  I don't have to deal with routes and users don't need Administrator access on device to Install.

Users that dial in to client VPN on my main Hub have access to all the other Hubs in the Mesh.

 

PhilipDAth
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

CMAK creates a bunch of files.  How do you distribute those to users?  Zip them up?

Dudleydogg
Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

I thought the Same thing but those are just source files for when you build or modify the .exe.   so you just distribute the Filename.exe file what I did is put the file on a internal web site and just gave out the URL

URL of web site /vpn.exe file

 

just need the one file Can customize with company Logos so its not so generic.

VPNEXE Installer.JPG

PhilipDAth
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

I see it is available (CMAK) under "Manage Optional Features" in Windows 10.  I think I'll take another look at this tool.  Thanks for the tip.

ASA-FTD
Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

September 2019

Moving 100 local users from an ASA onto their new Meraki Client VPN connected to their AD...

I want to put this into a login script so when the user logs in the new Meraki Client VPN gets created automatically on lots of computers.

 

Tell me what you think

 

 

 

$sharedkey = "The PSK here"
$VPNConnectName1 = "Click Here for VPN"
$ServerAddress1 = "Public IP of the MX"
$TunnelType = 'L2tp'
$AuthMethod = @('MSChapv2','Pap')
$EncryptionLevel = 'Required'
$RememberCredential = $true
$SplitTunnel = $true
#Cisco Needs This Registry Entry To Work Properly
$RegistryPath = "HKLM:\System\CurrentControlSet\Services\PolicyAgent"
$RegName = 'AssumeUDPEncapsulationContextOnSendRule'
$Regvalue = 2
New-ItemProperty -Path $RegistryPath -Name $RegName -Value $Regvalue -PropertyType DWORD -Force

#Create VPN Connections
Add-VpnConnection -Name $VPNConnectName1 -ServerAddress $ServerAddress1 -TunnelType $TunnelType -AllUserConnection -AuthenticationMethod $AuthMethod -EncryptionLevel Optional -L2tpPsk $sharedkey -Force
Add-VpnConnection -Name $VPNConnectName2 -ServerAddress $ServerAddress2 -TunnelType $TunnelType -AllUserConnection -AuthenticationMethod $AuthMethod -EncryptionLevel Optional -L2tpPsk $sharedkey -Force
Start-Sleep -Milliseconds 100


#Set Additional Settings
Set-VpnConnection -AllUserConnection -Name $VPNConnectName1 -SplitTunneling $true -RememberCredential $RememberCredential -IdleDisconnectSeconds $IdleDisconnect
Set-VpnConnection -AllUserConnection -Name $VPNConnectName2 -SplitTunneling $SplitTunnel -RememberCredential $RememberCredential -IdleDisconnectSeconds $IdleDisconnect

 

#Restart computer to load the Cisco Regkey you just updated.
Read-Host -Prompt "Press Enter To Restart Computer"
Restart-Computer -Force

-----
David Burgess
CCNP R&S, Security,
CCNA Wireless, MCNA, ECMS1
Dyrstran
Conversationalist

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Did this work?

Nash
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

PowerShell scripts for Windows 10 VPN? Sure, I do it all the time, across hundreds of endpoints now. 

 

My script is a little different from the one in this thread. I modify the rasphone phonebook so the client VPN won't try to use the VPN credentials to access server resources.

 

I'm gonna go add that reboot reminder to mine now...

Dyrstran
Conversationalist

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Wow that work, thanks!
Do you have any solutions for Win 7? 🙂
Nash
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

My solution for Windows 7 is update your machines to Windows 10 right this second, because a) Windows 7 doesn't have the necessary PowerShell cmdlets, and b) Windows 7 goes end of support on Jan 14, 2020. 

Dudleydogg
Getting noticed

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

so you are specifying a connection2 but you dont list the variable in the script was this intentional ?

T-800
Here to help

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Great thread. 

 

I would also recommend you add something to set VPN adapter metric lower than your local adapters. This will help with DNS resolution so that it will always try and resolve through VPN adapter first. 

 

Based on what I see I am guessing this should do it:

 

(Get-Content -path $PbkPath -Raw) -Replace 'IpInterfaceMetric=0','IpInterfaceMetric=10' | Set-Content -pat $PbkPath 

 

-T800

 

 

 

SoCalRacer
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

Another recommendation is to set your MX to a non standard subnet than consumer routers. We found issues with this mostly on Mac, when they used client VPN and their home router was in the same subnet as the MX Lan then it default resolved locally. Its not a huge deal, but I would say better safe than sorry.

Nash
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

What @SoCalRacer said. Whenever possible, re-IP your work network so it's not 192.168.0.0/24 or 192.168.1.0/24. Avoids a lot of overlap, including third party tunnels to other people who use these subnets.

 

I've got a client who is stuck using an ASA solely because their location and Corporate both use 192.168.1.0/24, so they need VPN NAT.

Mohammad
Here to help

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

@PhilipDAth 

 

I m using PowerShell script shared by you and it is working perfect fine for my requirement.

 

Just need little tweak.

 

Can we include check in script, that if same client VPN is installed it skip the installation.

 

What happens, when i push script to all computers, who ever have already installed client VPN got disconnected from VPN and script reinstalled it again on same computer.

 

I need to put check on script if there is same vpn is installed on client, it skip the installation on same end point and continue with other endpoint who do not have same client vpn installed,

 

Please suggest something, I not have much exposure on PowerShell.

cwal21
Here to help

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

@Nash Thanks for sharing this, deployable via GPO or Meraki MDM?

cwal21
Here to help

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

https://www.reddit.com/r/meraki/comments/c0ht6m/meraki_vpn_through_intune/

We're experiencing the same situation the user referenced in link above is.

"Hi,

Has anyone figured a way to enable Meraki VPN on Intune-joined devices?

I'm not sure how to get the EAP Xml parameter..

 

Meraki MDM also fails to load VPN parameters as it requires a Windows profile (apart from the Meraki Agent).. Apparently, you cannot have two MDM profiles on Windows 10.

There's also the issue of authentication. Meraki does not support Azure Active Directory."

 

I've tried deploying the VPN using System Manager (Meraki MDM) to no avail due to requiring Windows Profile and we cannot accomplish this due to enrollment with Exchange Online/MS365 Intune.

 

I've tried configuring the deployment via MS Intune due to the SM limitation but it requires the use of EAP XML which our Meraki VPN relies on L2TP/PSK with AD User Authentication over Radius. We will be using this for MFA and so far so good there.

 

Anyone have any feedback or suggestions?

 

 

 

 

PhilipDAth
Kind of a big deal

Re: Best practice to deploy Meraki client VPN to laptops? All methods seem to have downsides.

>Apparently, you cannot have two MDM profiles on Windows 10.

 

That is correct.

 

>There's also the issue of authentication. Meraki does not support Azure Active Directory."

 

We are 100% AzureAD joined, and use Azure authentication without issue.  Here are the setup instructions.

https://documentation.meraki.com/SM/Device_Enrollment/SM_Enrollment_Authentication#Azure_Active_Dire... 

 

>I've tried deploying the VPN using System Manager (Meraki MDM) to no avail due to requiring Windows Profile and we cannot accomplish this due to enrollment with Exchange Online/MS365 Intune.

 

I've written a tool to generate a powershell script to create VPN connections.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

You could configure either to download and run the script as SYSTEM and create the VPN.

If you look at the script closer you'll notice it actually builds the XML for the VPN connection.  You could modify it slightly to print out the final XML, and perhaps you could use that.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.