Meraki

Community

Cisco Meraki Client VPN - L2TP/IPSec

Solved
OmAr7
Here to help
‎Oct 10 2020 10:08 AM
‎Oct 10 2020 10:08 AM

Cisco Meraki Client VPN - L2TP/IPSec

Hello All,

 

Just reading in documentation regarding Cisco Meraki Client VPN, and just wondering about the Client VPN protocols used in Cisco Meraki?

 

Up to my knowledge, we can connect the Client VPN via IPSec (IKE will initiate the ISAKMP tunnel and use either AH or ESP or both then the IPSec tunnel form)

 

Cisco Meraki by default use L2TP/IPSec, why L2TP?

 

 

Thanks & regards,

Omar

0 Kudos
1 Accepted Solution
In response to OmAr7
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 10 2020 11:33 AM
‎Oct 10 2020 11:33 AM

Yes, theoretically AH can be used, but practically it’s not. For example, the Cisco ASA does not even have it implemented.

You should look at remote access and site to site separately as the needs are totally different. Basically they only have the need for protection in common.

Remote Access: Here we need the mentioned user authentication and IP configuration. Both is not available natively in IKEv1, but is available in IKEv2. With IKEv2 there is no need to use additional protocols for these functions.

Site to site: you do not need user authentication, but possibly transfer IP information. These can be routing-protocols which can not be exchanged with IKEv1. This is the reason that often GRE is used and protected by IPSec. With GRE you can transmit multicast which gives you the possibility to run a IGP over the VPN. This additional encapsulation is not needed if something like VTIs (virtual tunnel interfaces) are implemented. Here you also can run routing-protocols.

With IKEv2, you could theoretically go without a routing protocol as there is IKE authorization which can communicate network information through the tunnel. This is implemented in Cisco’s FlexVPN. Sadly, nearly nothing of these are implemented in our Meraki MX appliances yet.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

0 Kudos
5 Replies 5
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 10 2020 10:52 AM
‎Oct 10 2020 10:52 AM

Practically, there is no AH in VPNs (also not in other setups). IKEv1 is used in combination with L2TP because native IKEv1 does not have any function to authenticate the user or apply IP configurations to the remote client. Both is implemented with L2TP which is used here.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
OmAr7
Here to help
‎Oct 10 2020 11:06 AM
‎Oct 10 2020 11:06 AM

Please correct me if I'm wrong

 

AH is theoretically used in IPSec but it's not recommended because it didn't support the encryption.

 

L2TP is used mandatory with IPSec Client VPN in both IKEv1 and IKEv2?? when we configure IPSec site-to-site, it's not mandatory to use L2TP with IPSec.

 

L2TP Layer 2 protocol

IPSec framework to provide integrity, encryption, and confidentiality to Layer 3 protocols like IPv4 and IPv6.

 

We use L2 tunneling protocols like GRE, L2TP (with authentication capability if we need it) when we need to control our routing domain and routing tables in case we have L2 WAN connections, even this L2 WAN is not popular in many ISPs, just for example to demonstrate the idea.

 

Really appreciate your time and thanks in advance for your input.

 

Regards,

Omar

0 Kudos
In response to OmAr7
KarstenI
Kind of a big deal
Kind of a big deal
‎Oct 10 2020 11:33 AM
‎Oct 10 2020 11:33 AM

Yes, theoretically AH can be used, but practically it’s not. For example, the Cisco ASA does not even have it implemented.

You should look at remote access and site to site separately as the needs are totally different. Basically they only have the need for protection in common.

Remote Access: Here we need the mentioned user authentication and IP configuration. Both is not available natively in IKEv1, but is available in IKEv2. With IKEv2 there is no need to use additional protocols for these functions.

Site to site: you do not need user authentication, but possibly transfer IP information. These can be routing-protocols which can not be exchanged with IKEv1. This is the reason that often GRE is used and protected by IPSec. With GRE you can transmit multicast which gives you the possibility to run a IGP over the VPN. This additional encapsulation is not needed if something like VTIs (virtual tunnel interfaces) are implemented. Here you also can run routing-protocols.

With IKEv2, you could theoretically go without a routing protocol as there is IKE authorization which can communicate network information through the tunnel. This is implemented in Cisco’s FlexVPN. Sadly, nearly nothing of these are implemented in our Meraki MX appliances yet.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
0 Kudos
In response to KarstenI
OmAr7
Here to help
‎Oct 10 2020 12:02 PM
‎Oct 10 2020 12:02 PM

Really appreciate your time and knowledge sharing happening over here, you added something for me, will read more about this and will refer if I have any questions.

 

Thanks a lot

0 Kudos
In response to KarstenI
JeffU
Comes here often
‎Apr 12 2023 9:57 AM
‎Apr 12 2023 9:57 AM

This may have been noted in other places, but Google has dropped L2TP VPN support in Android 13., which recently shipped.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.