Client VPN - L2TP vs SSL

Solved
RichardChen1
Getting noticed

Client VPN - L2TP vs SSL

Hi Everyone,

 

I understand that anyconnect ssl vpn is on the pipeline.

However,  I have the following statement from a Sophos MSP - can anyone share any feedback?

 

"Meraki devices only support Layer 2 Tunnelling Protocol (L2TP), looking at the specification this isn’t secure enough to use for remote access, they are using heavily depreciated encryption methods and I strongly advise against using the L2TP option offered by the Cisco Meraki firewall.

My best option for you is that we reinstate the Sophos firewall at head office as a secondary device behind the Cisco Meraki, forward the SSL VPN ports to the Sophos and allow you to access the network using this far more secure option using modern SSL encryption methods."

 

Is L2TP not secure?

 

My experience with Meraki VPN is that

1. it is not easy to troubleshoot on WIN environment - accessing windows and meraki logs

2. Additional work on windows to change from full to split tunnel

 

 

1 Accepted Solution

Client vpn was not required when we replace it.

 

The Sophos is out of support contract and we provided internet redundancy by adding the 4G backup.

 

I will let our Account Manager handle this for now.

 

View solution in original post

8 Replies 8
Nash
Kind of a big deal

So I work at an MSP, and to be blunt? MSPs aren't beyond trying to encourage you to use their preferred technology, simply because it is easier for them. This is especially true on network equipment.

 

You can mitigate many of the Windows issues using PowerShell scripts, using rasphone, and never saving the credential. I've got scripts in my signature that have significantly reduced the amount of time my help desk spends on Meraki client VPN issues. We have fewer tickets over all, and most tickets are now 5-10 minute redeployments of the VPN via script vs. 20-40 minutes of painful troubleshooting.

 

Regarding security, that's a more complicated question. What ciphers/hash/DH combos are the Sophos fw using? Meraki gives theirs here. Support can change it, but the higher level uses a cipher and DH combo that may not be supported by all endpoints.

 

May I ask: What problem are you having that caused this MSP to make that recommendation?

Hi @Nash ,

 

We just replaced all Sophos FW with Meraki MX.

 

My case would be more to do with politic than technical.😥

Nash
Kind of a big deal

It's always fun when the problem is people and not actually hardware. By which I mean, it's terrible.

 

Given your situation, what would your ideal outcome look like? Perhaps that can guide what you do.

 

What problem were you solving by replacing the Sophos with the Meraki?

Client vpn was not required when we replace it.

 

The Sophos is out of support contract and we provided internet redundancy by adding the 4G backup.

 

I will let our Account Manager handle this for now.

 

PhilipDAth
Kind of a big deal
Kind of a big deal

The final connection ends up using AES128+SHA1 using IKEv1.

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview#Encryption_Method 

 

I would not call that good.

 

The Microsoft client VPN built into Windows is a real pain in the neck.  For any client wanting lots of client VPN users I also tend to deploy an SSL VPN appliance behind the Meraki (although I tend to use Cisco products).

Nash
Kind of a big deal

Yeah no, I'm not at all saying that the client VPN's standards are sufficient. I'd also really like more DH groups for third party tunnels. I'm especially frustrated that the higher level offered is not supported by all end points.

 

We've kept ASAs just for AnyConnect at some clients. Not other vendors, because we're a Cisco VAR/MSP and push people to use uh... Cisco/Meraki... gear. 🙂

cmr
Kind of a big deal
Kind of a big deal

Sophos SSL is quite a bit better for client VPN, so the MSP isn't completely wrong:

 

 

cmr_0-1581419280650.png

 

 
 
Nash
Kind of a big deal

@cmr I've been impressed by it at customers who've had Sophos fw. Very easy to use, and the client has a nice traffic light icon that makes it relatively clear if you're connected or not.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels