Hello community,
I was wondering if there is someone out there using the Meraki MXs for Client-VPN with L2TP and IPsec.
My question is pointing to the use of a non SSL connection and possible problems with restricted internet access (airports, hotels, cafes).
Is anyone using the L2TP-IPSEC VPN (400+ concurrent sessions) and let me know his/hers experience?
Many thanks
Lennart
Solved! Go to solution.
Take a look over some of the common trouble shooting techniques for issues you are going to run into:
https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
Error 809 is a semi-common one.
Some of the problems you will experience with L2TP over IPSec are:
Also AnyConnect with an ASA allows for far more advanced controls. For example, if you are using RADIUS for authentication, you can push per user/group policies. For example, a VoIP contractor might only be allowed access to the phone system, a network engineer might only be allowed access to networking kit, etc.
With the Meraki imlementation pretty much everyone has the same level of access. Their are work arounds - but on your scale they are not going to be good enough.
This is my prediction, if you try and use L2TP over IPSec with 2,000 VPN users you will need an entire support person permanently just to deal with the client VPN issues.
I use it daily. But to be honest, I've never really seen the clientVPN as a mature VPN solution for end-users. It doesn't have many features. It will probably work, but it won't be user friendly and hard to deploy/maintain too.
I see it more as a way for admins to dial into their networks from time to time during troubleshooting.
I'm waiting for Anyconnect support on Meraki, that should change things for this use-case.
Thanks for your answer. I agree to your point but the advantage is that there is no client to install on most devices as it is a build in feature by most OS.
We have about 375+ connections daily using the VPN with this setup. Most major issues come from issues with the various ISPs people use to be honest. As far as deployment to users, this is done via PowerShell script so we can easily push out updates as needed. We have users who travel often and have not experienced any issues at airports, hotels, cafe. If they were to experience the issue, they would just tether off their phones.
Good to hear! Just out of interest, do they manually turn on the VPN tunnel? What MX are you using MX250 or are you pushing MX100 (that according to the datasheet supports only up to 250 tunnels)?
@Mr_IT_Guy wrote:We have about 375+ connections daily using the VPN with this setup. Most major issues come from issues with the various ISPs people use to be honest. As far as deployment to users, this is done via PowerShell script so we can easily push out updates as needed. We have users who travel often and have not experienced any issues at airports, hotels, cafe. If they were to experience the issue, they would just tether off their phones.
Yes, they have to manually choose to connect to the VPN. As far as MX is concerned, we are using a MX600.
I'm not sure what you mean by "medium" size ...
To add to @BrechtSchamp's comment, you can find Powershell scripts to configure the client VPN connection here:
http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html
But personally - when I have a customer with a lot of VPN connections, or anything even slightly tricky about the VPN connections, I add in a Cisco ASA into the solution and dedicate it as a client VPN concentrator for AnyConnect. A little Cisco ASA 5506 or 5508 is not that expensive.
The SSL VPN client can auto-deploy when the users connects - or you can push it out using group policy, or any software deployment tool.
On the balance - you will have significantly less support issues if your a "medium" size company and you add in an ASA and install the client, versus using L2TP over IPSec and use the built in Windows client.
Only a mad-man would do a deployment using L2TP over IPSec of this size. Don't do it! You will have a support nightmare on a scale you have never encountered before.
Cisco AnyConnect is a highly respected solution. I've done a lot of deployments - and I don't have issues with the VPN client.
I think you should probably be looking at something like a failover HA pair of Cisco ASA 5525-X's. They will handle 750 connected users. The next model up, the 5545, will handle 2,500 concurrent users. Rather than doing a failover HA cluster you could also do a load balancing cluster of 5525's if you needed more capacity without going to the expense of the 5545.
Take a look over some of the common trouble shooting techniques for issues you are going to run into:
https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
Error 809 is a semi-common one.
Some of the problems you will experience with L2TP over IPSec are:
Also AnyConnect with an ASA allows for far more advanced controls. For example, if you are using RADIUS for authentication, you can push per user/group policies. For example, a VoIP contractor might only be allowed access to the phone system, a network engineer might only be allowed access to networking kit, etc.
With the Meraki imlementation pretty much everyone has the same level of access. Their are work arounds - but on your scale they are not going to be good enough.
This is my prediction, if you try and use L2TP over IPSec with 2,000 VPN users you will need an entire support person permanently just to deal with the client VPN issues.
And another classic I just remembered. Dell machines ship with some software on them called SmartByte which breaks client VPN.
So I hope you don't use Dell machines in your organisation.
https://community.meraki.com/t5/Network-Wide/Dell-Laptops-and-VPN-access/m-p/12826#M321
We are currently using Meraki MXs for Client-VPN with L2TP and IPsec in our env. I saw that someone already suggested Anyconnect, I'd absolutely agree.
The current issues we are running into as a result of Win10, are crippling.
1. https://community.meraki.com/t5/Security-SD-WAN/Client-VPN-Issue/m-p/37181/highlight/true#M9355
2. Lately, everytime we receive Windows updates the adapter settings revert back to default - Unless your users are allowed to access their adapter settings, you'll have to reconfigure the protocols in the sec tab.
You could opt to disable a restrictive GP so they can fix it themselves, or remotely fix it for the user, granted your remote software allows for UAC access, it is time consuming.