cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can I use Cisco AnyConnect with Meraki Client VPN?

New here

Can I use Cisco AnyConnect with Meraki Client VPN?

Looking for an easier way to manage/create VPN profile with Meraki and AnyConnect would be a good fit.

23 REPLIES 23
Building a reputation

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

AnyConnect, as far as I know, can only be manually configured using the System Mananger.  You will have the ability to set configuration and deployment of VPN server credentials for any L2TP, PPTP, Cisco IPSec or AnyConnect server in that module.  You could also terminate the AnyConnect clients to an ISR router and then cycle that traffic through the Meraki as an alternative.  Depending on what your purpose is, Meraki also offers an appliance called the Teleworker VPN which allows you to extend the corporate LAN to remote sites, without requiring all clients and devices to have client VPN software.

Getting noticed

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Unfortunately you can't use Cisco AnyConnect with the Meraki MX appliances. I know this is a common request, and hopefully its one that will come about soon, hit that 'Make a Wish' button a bit more. Although Cisco AnyConnect client can create an IPSec tunnel, it only uses IKE v2 for the initial negotiations, whereas the MX appliances only do IKE v1 at the moment - that I believe is the problem.

Building a reputation

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

 That's the one piece holding us back from seriously looking at the MX line. Having a good SSL VPN.

Highlighted
Conversationalist

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

I've seen some information about 6 months ago that stated cisco anyconnect is definitely coming to the mx series but the release date was not specified. I'll try find this again so you can follow up on it.
Getting noticed

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

It's definitely still coming 🙂 Keep in contact with your local Meraki team if you want to know more.

Building a reputation

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

+1  Better control over client VPN would be great.  Support for Cisco AnyConnect & SSL VPN would be amazing as well!

AJ
Conversationalist

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Would someone be so kind as to mention what features AnyConnect has over native Windows 10 VPN client? I had used AnyConnect years ago and don't recall what was so great about it. It was good, but didn't seem that wonderful. The Windows 10 native client seems just as easy to setup and even easier to use.

 

Specific point of interest to me:

Does AnyConnect allow me to give a static IP address to the client and still connect to a Meraki? Win10 client allows this (technically), but it fails to connect unless set to DHCP, even though the static IP is within the Meraki's assigned VPN client address range.

 

I redact the previous paragraph. Turns out that Windows Firewall was causing problems. Got my client connected with a static IP address after turning it off.

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

This would be great, but since it hasn't been worked on in 3 or so years, don't count on it.

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?


@Bruce wrote:

It's definitely still coming 🙂 Keep in contact with your local Meraki team if you want to know more.


Any update on this at all?

 

The Windows 10 client works ... but sometimes Windows update switches the connection from PAP to MSCHAP and clients can't connect. Like Microsoft decides it wants to remove what it considers an unsecure setting and change it to their 'secure' MSCHAP. Getting frustrating having to do this for multiple VPN clients on company laptops.

 

An actual Meraki client or AnyConnect client that overrides Windows settings would be more beneficial!

 

Spiceworks community posting advises this has been on going and annoying for a lot of users of Merak...

 

Anyone even thought to do a 'dual purpose client', where during the install, you select "Cisco Meraki connection", or "Cisco connection" and it tailors the client settings to the applicable to the hardware you are connecting to? This way Windows hopefully won't override it. I really like Meraki, and my only pain point over past 2yrs is the fact WinDOZE decides to just update your settings and override them and stops users connecting ...



T Roberts
A+, Network+, MCP, Dell and CMNO
Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

It's been going on since we have used it (2 years). Our local Meraki person has changed 3 or 4 times in that time frame, I've not heard from the current one.
Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

 

1. Make a one-line PowerShell script to add the VPN connection

2. Convert the PS script to the exe file and distribute the zipped exe file 

user download the file, unzip and run it then the VPN connection is created

Here is the code (Visual Studio Code is the best IDE for PowerShell)

Add-vpnconnection -Name MyVPN -ServerAddress 1xx.2xx.1xx.1xx -TunnelType l2tp -AuthenticationMethod pap -RememberCredential -l2tpPsk *secret*
 
If you like you can add -SplitTunneling into the above script, and add few routes letting only specific traffic going to the VPN connection, other traffic still goes to the local Internet connection, e.g.:
Add-VpnConnectionRoute -ConnectionName "MyVPN" -DestinationPrefix 128.136.0.0/16
 
How to convert PowerShell script to an exe file? I'm using PS2EXE, it works great
 
 
Robin Jiao
Jul, 2018
Getting noticed

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Thanks for the PS Script.  That works great. 

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

You need to add a -Force at the end of that otherwise you get a 'waiting' prompt to confirm or not. You will still get a warning as below, but it will take.

 

WARNING: The currently selected encryption level requires EAP or MS-CHAPv2 logon security methods. Data encryption will not occur for Pap or Chap.



T Roberts
A+, Network+, MCP, Dell and CMNO
Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Anyconnect or some type of client VPN over built-in Windows clients would be highly advantageous for those networks that rely heavily on client-site VPN's due to the redundant setup processes. With Anyconnect, one would simply point the end user to the url or IP of the firewall and with a few button clicks have the tunnel established and connectivity available. It takes a lot of the redundant legwork off of the admin setting up clients...
Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Any updates to this request Bruce?
Thanks!
Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?


@cwal21 wrote:
Anyconnect or some type of client VPN over built-in Windows clients would be highly advantageous for those networks that rely heavily on client-site VPN's due to the redundant setup processes. With Anyconnect, one would simply point the end user to the url or IP of the firewall and with a few button clicks have the tunnel established and connectivity available. It takes a lot of the redundant legwork off of the admin setting up clients...

Of course it's better.  But AnyConnect requires Ikev2, Meraki Security Appliances only do Ikev1.  Switching the Ike version would also allow Meraki's to stop failing PCI audits which flag on devices running Ikev1 VPN. 

 

I've thought of deploying another Client VPN solution along side the Meraki, but I haven't yet.  It will be a requirement though for when I go firewall shopping next refresh cycle.

New here

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Hello Bruce - when you say "you can't use Cisco AnyConnect with the Meraki MX appliances", do you mean a) the MX appliance can't use AnyConnect to create a hardware-based VPN tunnel, or b) you can't use the AnyConnect software client on a computer to connect back to corporate if the router being used is an MX appliance?

 

This is perhaps a beginner's question, but here is why I ask: I am having problems with AnyConnect client running on a Mac OSX computer, trying to setup a VPN tunnel back to corporate.  The software VPN client works fine at a hotel, or at a coffee shop, et cetera, but at my home office, it connects, then disconnects, then tries to reconnect.

 

The only difference is that my home office is using a Meraki MX60 appliance as the router.

 

So again, my question: are you referring to using the Meraki MX to setup a full-time VPN tunnel, with AnyConnect as the provisioned technology?  Or do you mean that an AnyConnect software client won't work correctly if the router is a Meraki MX?

 

I have AnyConnect running on an iPad (works fine) and a MacBook (doesn't work).

 

Thanks in advance...

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?


@Enrico wrote:

Hello Bruce - when you say "you can't use Cisco AnyConnect with the Meraki MX appliances", do you mean a) the MX appliance can't use AnyConnect to create a hardware-based VPN tunnel, or b) you can't use the AnyConnect software client on a computer to connect back to corporate if the router being used is an MX appliance?

 


AnyConnect requires Ike v2 - which was first announced in December 2005, with clarifications in October 2006 and finally (marking it ready for use) September 2010 - https://en.wikipedia.org/wiki/Internet_Key_Exchange

 

Cisco Meraki MX devices only support IkeV1.  They will likely never be upgraded to support Ikev2.  The suggestion has been around for over 5 years.  If you want to use AnyConnect - pick another firewall. 

 

Also if you are under PCI audits - your sites with client vpn enabled will fail one of the scans as the vpn uses ike v1.  

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

So clients using Meraki client VPN will fail PCI scans due to no IkeV2 support? So the claim by Meraki being PCI compliant is a false one?

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

Anyone have any input on this?

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

@RobinJiaothis is awesome and will definitely save us time on client deployments. The only problem with it (thanks to good ol' Microsoft) is since we rely on the pap authentication method with Meraki, we cannot set and use the switch "-EncryptionLevel Required" so this causes the need to go in and edit the adapter manually because with the script as-is it will set encryption level to optional. Not sure if that is a big deal or not, but maybe someone else can provide some insight there.

 

Thanks again for sharing!

Here to help

Re: Can I use Cisco AnyConnect with Meraki Client VPN?

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

 

I'd say that this is as official of a response as there is likely going to be.

Just browsing

Re: Can I use Cisco AnyConnect with Meraki Client VPN?


@Warren wrote:

https://documentation.meraki.com/MX/Client_VPN/MX_security_audit_failed_fast essay_recommended_steps

I'd say that this is as official of a response as there is likely going to be.


 

Hello,

 

Thank you for the source. Is there any way to configure Windows 10 to use the IKEv1 aggressive mode? After the Windows 10 update, I noticed that the connection switched from PAP to MSCHAP (just as mentioned by TMRoberts).

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.