Can I use Cisco AnyConnect with Meraki Client VPN?

jamie1972
New here

Can I use Cisco AnyConnect with Meraki Client VPN?

Looking for an easier way to manage/create VPN profile with Meraki and AnyConnect would be a good fit.

27 Replies 27
MerakiJockey505
Building a reputation

AnyConnect, as far as I know, can only be manually configured using the System Mananger.  You will have the ability to set configuration and deployment of VPN server credentials for any L2TP, PPTP, Cisco IPSec or AnyConnect server in that module.  You could also terminate the AnyConnect clients to an ISR router and then cycle that traffic through the Meraki as an alternative.  Depending on what your purpose is, Meraki also offers an appliance called the Teleworker VPN which allows you to extend the corporate LAN to remote sites, without requiring all clients and devices to have client VPN software.

Bruce
Kind of a big deal

Unfortunately you can't use Cisco AnyConnect with the Meraki MX appliances. I know this is a common request, and hopefully its one that will come about soon, hit that 'Make a Wish' button a bit more. Although Cisco AnyConnect client can create an IPSec tunnel, it only uses IKE v2 for the initial negotiations, whereas the MX appliances only do IKE v1 at the moment - that I believe is the problem.

Welles
Building a reputation

 That's the one piece holding us back from seriously looking at the MX line. Having a good SSL VPN.

cwal21
Getting noticed

Any updates to this request Bruce?
Thanks!
Enrico
New here

Hello Bruce - when you say "you can't use Cisco AnyConnect with the Meraki MX appliances", do you mean a) the MX appliance can't use AnyConnect to create a hardware-based VPN tunnel, or b) you can't use the AnyConnect software client on a computer to connect back to corporate if the router being used is an MX appliance?

 

This is perhaps a beginner's question, but here is why I ask: I am having problems with AnyConnect client running on a Mac OSX computer, trying to setup a VPN tunnel back to corporate.  The software VPN client works fine at a hotel, or at a coffee shop, et cetera, but at my home office, it connects, then disconnects, then tries to reconnect.

 

The only difference is that my home office is using a Meraki MX60 appliance as the router.

 

So again, my question: are you referring to using the Meraki MX to setup a full-time VPN tunnel, with AnyConnect as the provisioned technology?  Or do you mean that an AnyConnect software client won't work correctly if the router is a Meraki MX?

 

I have AnyConnect running on an iPad (works fine) and a MacBook (doesn't work).

 

Thanks in advance...

Warren
Getting noticed


@Enrico wrote:

Hello Bruce - when you say "you can't use Cisco AnyConnect with the Meraki MX appliances", do you mean a) the MX appliance can't use AnyConnect to create a hardware-based VPN tunnel, or b) you can't use the AnyConnect software client on a computer to connect back to corporate if the router being used is an MX appliance?

 


AnyConnect requires Ike v2 - which was first announced in December 2005, with clarifications in October 2006 and finally (marking it ready for use) September 2010 - https://en.wikipedia.org/wiki/Internet_Key_Exchange

 

Cisco Meraki MX devices only support IkeV1.  They will likely never be upgraded to support Ikev2.  The suggestion has been around for over 5 years.  If you want to use AnyConnect - pick another firewall. 

 

Also if you are under PCI audits - your sites with client vpn enabled will fail one of the scans as the vpn uses ike v1.  

cwal21
Getting noticed

So clients using Meraki client VPN will fail PCI scans due to no IkeV2 support? So the claim by Meraki being PCI compliant is a false one?

cwal21
Getting noticed

Anyone have any input on this?

Warren
Getting noticed

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

 

I'd say that this is as official of a response as there is likely going to be.

GrantWilson
Just browsing


@Warren wrote:

https://documentation.meraki.com/MX/Client_VPN/MX_security_audit_failed_fast essay_recommended_steps

I'd say that this is as official of a response as there is likely going to be.


 

Hello,

 

Thank you for the source. Is there any way to configure Windows 10 to use the IKEv1 aggressive mode? After the Windows 10 update, I noticed that the connection switched from PAP to MSCHAP (just as mentioned by TMRoberts).

cwal21
Getting noticed


@Warren wrote:

@Enrico wrote:

Hello Bruce - when you say "you can't use Cisco AnyConnect with the Meraki MX appliances", do you mean a) the MX appliance can't use AnyConnect to create a hardware-based VPN tunnel, or b) you can't use the AnyConnect software client on a computer to connect back to corporate if the router being used is an MX appliance?

 


AnyConnect requires Ike v2 - which was first announced in December 2005, with clarifications in October 2006 and finally (marking it ready for use) September 2010 - https://en.wikipedia.org/wiki/Internet_Key_Exchange

 

Cisco Meraki MX devices only support IkeV1.  They will likely never be upgraded to support Ikev2.  The suggestion has been around for over 5 years.  If you want to use AnyConnect - pick another firewall. 

 

Also if you are under PCI audits - your sites with client vpn enabled will fail one of the scans as the vpn uses ike v1.  


Never say never @Warren - Looks like Meraki has surprised us and they've actually been supporting IkeV2 for a bit. Apparently integrating AnyConnect on latest firmware for several MX Models as well....

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance

wendallwoof
Conversationalist

I've seen some information about 6 months ago that stated cisco anyconnect is definitely coming to the mx series but the release date was not specified. I'll try find this again so you can follow up on it.
Bruce
Kind of a big deal

It's definitely still coming 🙂 Keep in contact with your local Meraki team if you want to know more.

lpopejoy
A model citizen

+1  Better control over client VPN would be great.  Support for Cisco AnyConnect & SSL VPN would be amazing as well!

TMRoberts
Getting noticed


@Bruce wrote:

It's definitely still coming 🙂 Keep in contact with your local Meraki team if you want to know more.


Any update on this at all?

 

The Windows 10 client works ... but sometimes Windows update switches the connection from PAP to MSCHAP and clients can't connect. Like Microsoft decides it wants to remove what it considers an unsecure setting and change it to their 'secure' MSCHAP. Getting frustrating having to do this for multiple VPN clients on company laptops.

 

An actual Meraki client or AnyConnect client that overrides Windows settings would be more beneficial!

 

Spiceworks community posting advises this has been on going and annoying for a lot of users of Merak...

 

Anyone even thought to do a 'dual purpose client', where during the install, you select "Cisco Meraki connection", or "Cisco connection" and it tailors the client settings to the applicable to the hardware you are connecting to? This way Windows hopefully won't override it. I really like Meraki, and my only pain point over past 2yrs is the fact WinDOZE decides to just update your settings and override them and stops users connecting ...



T Roberts
A+, Network+, MCP, Dell and CMNO
Warren
Getting noticed

It's been going on since we have used it (2 years). Our local Meraki person has changed 3 or 4 times in that time frame, I've not heard from the current one.
AJ
Here to help

Would someone be so kind as to mention what features AnyConnect has over native Windows 10 VPN client? I had used AnyConnect years ago and don't recall what was so great about it. It was good, but didn't seem that wonderful. The Windows 10 native client seems just as easy to setup and even easier to use.

 

Specific point of interest to me:

Does AnyConnect allow me to give a static IP address to the client and still connect to a Meraki? Win10 client allows this (technically), but it fails to connect unless set to DHCP, even though the static IP is within the Meraki's assigned VPN client address range.

 

I redact the previous paragraph. Turns out that Windows Firewall was causing problems. Got my client connected with a static IP address after turning it off.

Warren
Getting noticed

This would be great, but since it hasn't been worked on in 3 or so years, don't count on it.

cwal21
Getting noticed

Anyconnect or some type of client VPN over built-in Windows clients would be highly advantageous for those networks that rely heavily on client-site VPN's due to the redundant setup processes. With Anyconnect, one would simply point the end user to the url or IP of the firewall and with a few button clicks have the tunnel established and connectivity available. It takes a lot of the redundant legwork off of the admin setting up clients...
Warren
Getting noticed


@cwal21 wrote:
Anyconnect or some type of client VPN over built-in Windows clients would be highly advantageous for those networks that rely heavily on client-site VPN's due to the redundant setup processes. With Anyconnect, one would simply point the end user to the url or IP of the firewall and with a few button clicks have the tunnel established and connectivity available. It takes a lot of the redundant legwork off of the admin setting up clients...

Of course it's better.  But AnyConnect requires Ikev2, Meraki Security Appliances only do Ikev1.  Switching the Ike version would also allow Meraki's to stop failing PCI audits which flag on devices running Ikev1 VPN. 

 

I've thought of deploying another Client VPN solution along side the Meraki, but I haven't yet.  It will be a requirement though for when I go firewall shopping next refresh cycle.

RobinJiao
Here to help

 

1. Make a one-line PowerShell script to add the VPN connection

2. Convert the PS script to the exe file and distribute the zipped exe file 

user download the file, unzip and run it then the VPN connection is created

Here is the code (Visual Studio Code is the best IDE for PowerShell)

Add-vpnconnection -Name MyVPN -ServerAddress 1xx.2xx.1xx.1xx -TunnelType l2tp -AuthenticationMethod pap -RememberCredential -l2tpPsk *secret*
 
If you like you can add -SplitTunneling into the above script, and add few routes letting only specific traffic going to the VPN connection, other traffic still goes to the local Internet connection, e.g.:
Add-VpnConnectionRoute -ConnectionName "MyVPN" -DestinationPrefix 128.136.0.0/16
 
How to convert PowerShell script to an exe file? I'm using PS2EXE, it works great
 
 
Robin Jiao
Jul, 2018
Turas
Getting noticed

Thanks for the PS Script.  That works great. 

TMRoberts
Getting noticed

You need to add a -Force at the end of that otherwise you get a 'waiting' prompt to confirm or not. You will still get a warning as below, but it will take.

 

WARNING: The currently selected encryption level requires EAP or MS-CHAPv2 logon security methods. Data encryption will not occur for Pap or Chap.



T Roberts
A+, Network+, MCP, Dell and CMNO
cwal21
Getting noticed

@RobinJiaothis is awesome and will definitely save us time on client deployments. The only problem with it (thanks to good ol' Microsoft) is since we rely on the pap authentication method with Meraki, we cannot set and use the switch "-EncryptionLevel Required" so this causes the need to go in and edit the adapter manually because with the script as-is it will set encryption level to optional. Not sure if that is a big deal or not, but maybe someone else can provide some insight there.

 

Thanks again for sharing!

charlesalmanzar
New here

1 개월 무료 VPN을 받고 집에서 작업하는 동안 안전하게 지내세요.  privacykorea.com/한국-vpn 

cwal21
Getting noticed

https://documentation.meraki.com/MX/AnyConnect_on_the_MX_Appliance - FINALLY! 😀 Can't wait to give it a whirl!

CaptainBeRad
Here to help

Well I think you get credit for answering your own question!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels