Client VPN with L2TP in mid-size enterprises

Solved
LennartM
Conversationalist

Client VPN with L2TP in mid-size enterprises

Hello community,

 

I was wondering if there is someone out there using the Meraki MXs for Client-VPN with L2TP and IPsec.

My question is pointing to the use of a non SSL connection and possible problems with restricted internet access (airports, hotels, cafes).

Is anyone using the L2TP-IPSEC VPN (400+ concurrent sessions) and let me know his/hers experience? 

Many thanks

Lennart

 

1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal

Take a look over some of the common trouble shooting techniques for issues you are going to run into:

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues

Error 809 is a semi-common one.

 

Some of the problems you will experience with L2TP over IPSec are:

  • Sometimes when it isn't working Windows wont log anything.  Consequently you will now have to debug the issue without any diagnostic info - or to put it another way - you will be debugging it blind.  With Cisco AnyConnect you can use the DART module to get more diagnostics than you could hope for.
  • Sometimes windows clients fail to detect their trafic is being NATed (such as when a user is at home).  When this happens the home user home wont be able to connect unless you put in a registry key to force it to use a NAT friendly mode.  AnyConnect to an ASA uses TLS - just like accessing a secure website, so does not have this issue.
  • Some ISP routers don't NAT UDP traffic nicely.  Some implement stupid max session limits such as 30s.  So if a client is behind one of these they may never be able to connect or will only be able to connect for as long as the max UDP NAT session limit, and then the VPN will stopping passing traffic.  AnyConnect uses TLS, which uses TCP, which is session orientated.  TCP communicates session start (SYN) and session finish (FIN, RST) so even the dumbest home router knows when a session is still being used.
  • Some software that install networks shims (such as some antivirus software, software firewalls, etc) just plain break L2TP over IPSec.  You will find cases where you can't get it to work without uninstaling other software.  It is very rare for AnyConnect to have problems with other software shims.
  • L2TP over IPSec doesn't work well over 100% pure IPv6 networks.  Usually it doesn't work at all.  I don't recall the name now, but there is already an ISP in the USA only doing IPv6 connections.  Many mobile carriers globally are now using IPv6.  AnyConnect has full IPv6 support.

 

Also AnyConnect with an ASA allows for far more advanced controls.  For example, if you are using RADIUS for authentication, you can push per user/group policies.  For example, a VoIP contractor might only be allowed access to the phone system, a network engineer might only be allowed access to networking kit, etc.

With the Meraki imlementation pretty much everyone has the same level of access.  Their are work arounds - but on your scale they are not going to be good enough.

 

 

This is my prediction, if you try and use L2TP over IPSec with 2,000 VPN users you will need an entire support person permanently just to deal with the client VPN issues.

View solution in original post

12 Replies 12
BrechtSchamp
Kind of a big deal

I use it daily. But to be honest, I've never really seen the clientVPN as a mature VPN solution for end-users. It doesn't have many features. It will probably work, but it won't be user friendly and hard to deploy/maintain too.

 

I see it more as a way for admins to dial into their networks from time to time during troubleshooting.

 

I'm waiting for Anyconnect support on Meraki, that should change things for this use-case.

LennartM
Conversationalist

Thanks for your answer. I agree to your point but the advantage is that there is no client to install on most devices as it is a build in feature by most OS.

Mr_IT_Guy
A model citizen

We have about 375+ connections daily using the VPN with this setup. Most major issues come from issues with the various ISPs people use to be honest. As far as deployment to users, this is done via PowerShell script so we can easily push out updates as needed. We have users who travel often and have not experienced any issues at airports, hotels, cafe. If they were to experience the issue,  they would just tether off their phones.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
BrechtSchamp
Kind of a big deal


@Mr_IT_Guy wrote:

We have about 375+ connections daily using the VPN with this setup. Most major issues come from issues with the various ISPs people use to be honest. As far as deployment to users, this is done via PowerShell script so we can easily push out updates as needed. We have users who travel often and have not experienced any issues at airports, hotels, cafe. If they were to experience the issue,  they would just tether off their phones.


Good to hear! Just out of interest, do they manually turn on the VPN tunnel? What MX are you using MX250 or are you pushing MX100 (that according to the datasheet supports only up to 250 tunnels)?
Mr_IT_Guy
A model citizen

Yes, they have to manually choose to connect to the VPN. As far as MX is concerned, we are using a MX600.

Found this helpful? Give me some Kudos! (click on the little up-arrow below)
PhilipDAth
Kind of a big deal
Kind of a big deal

I'm not sure what you mean by "medium" size ...

 

To add to @BrechtSchamp's comment, you can find Powershell scripts to configure the client VPN connection here:

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

But personally - when I have a customer with a lot of VPN connections, or anything even slightly tricky about the VPN connections, I add in a Cisco ASA into the solution and dedicate it as a client VPN concentrator for AnyConnect.  A little Cisco ASA 5506 or 5508 is not that expensive.

The SSL VPN client can auto-deploy when the users connects - or you can push it out using group policy, or any software deployment tool.

 

On the balance - you will have significantly less support issues if your a "medium" size company and you add in an ASA and install the client, versus using L2TP over IPSec and use the built in Windows client.

LennartM
Conversationalist

Thanks for your input. To more precise we are talking about 15.000 employees. With 2.000 enabled VPN-Clients.
The idea is not to have a Client installed which caused a lot of trouble and finger-pointing between the VPN-Client vendor and OS-vendor in the past. This problems have been deeply engraved in the memory of my boss.

PhilipDAth
Kind of a big deal
Kind of a big deal

Only a mad-man would do a deployment using L2TP over IPSec of this size.  Don't do it!  You will have a support nightmare on a scale you have never encountered before.

 

Cisco AnyConnect is a highly respected solution.  I've done a lot of deployments - and I don't have issues with the VPN client.

 

I think you should probably be looking at something like a failover HA pair of Cisco ASA 5525-X's.  They will handle 750 connected users.  The next model up, the 5545, will handle 2,500 concurrent users.  Rather than doing a failover HA cluster you could also do a load balancing cluster of 5525's if you needed more capacity without going to the expense of the 5545.

https://www.cisco.com/c/en_ca/products/security/asa-5500-series-next-generation-firewalls/models-com...

LennartM
Conversationalist

@PhilipDAth Thanks again.
May I ask you what problems and nightmares you have seen in this setup? Is it because of the client configuration or the client using ports might been blocked in some environments?
PhilipDAth
Kind of a big deal
Kind of a big deal

Take a look over some of the common trouble shooting techniques for issues you are going to run into:

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues

Error 809 is a semi-common one.

 

Some of the problems you will experience with L2TP over IPSec are:

  • Sometimes when it isn't working Windows wont log anything.  Consequently you will now have to debug the issue without any diagnostic info - or to put it another way - you will be debugging it blind.  With Cisco AnyConnect you can use the DART module to get more diagnostics than you could hope for.
  • Sometimes windows clients fail to detect their trafic is being NATed (such as when a user is at home).  When this happens the home user home wont be able to connect unless you put in a registry key to force it to use a NAT friendly mode.  AnyConnect to an ASA uses TLS - just like accessing a secure website, so does not have this issue.
  • Some ISP routers don't NAT UDP traffic nicely.  Some implement stupid max session limits such as 30s.  So if a client is behind one of these they may never be able to connect or will only be able to connect for as long as the max UDP NAT session limit, and then the VPN will stopping passing traffic.  AnyConnect uses TLS, which uses TCP, which is session orientated.  TCP communicates session start (SYN) and session finish (FIN, RST) so even the dumbest home router knows when a session is still being used.
  • Some software that install networks shims (such as some antivirus software, software firewalls, etc) just plain break L2TP over IPSec.  You will find cases where you can't get it to work without uninstaling other software.  It is very rare for AnyConnect to have problems with other software shims.
  • L2TP over IPSec doesn't work well over 100% pure IPv6 networks.  Usually it doesn't work at all.  I don't recall the name now, but there is already an ISP in the USA only doing IPv6 connections.  Many mobile carriers globally are now using IPv6.  AnyConnect has full IPv6 support.

 

Also AnyConnect with an ASA allows for far more advanced controls.  For example, if you are using RADIUS for authentication, you can push per user/group policies.  For example, a VoIP contractor might only be allowed access to the phone system, a network engineer might only be allowed access to networking kit, etc.

With the Meraki imlementation pretty much everyone has the same level of access.  Their are work arounds - but on your scale they are not going to be good enough.

 

 

This is my prediction, if you try and use L2TP over IPSec with 2,000 VPN users you will need an entire support person permanently just to deal with the client VPN issues.

PhilipDAth
Kind of a big deal
Kind of a big deal

And another classic I just remembered.   Dell machines ship with some software on them called SmartByte which breaks client VPN. 

 

So I hope you don't use Dell machines in your organisation. 

 

https://community.meraki.com/t5/Network-Wide/Dell-Laptops-and-VPN-access/m-p/12826#M321

Teechan
Here to help

We are currently using Meraki MXs for Client-VPN with L2TP and IPsec in our env. I saw that someone already suggested Anyconnect, I'd absolutely agree. 

 

The current issues we are running into as a result of Win10, are crippling. 

 

1. https://community.meraki.com/t5/Security-SD-WAN/Client-VPN-Issue/m-p/37181/highlight/true#M9355

2. Lately, everytime we receive Windows updates the adapter settings revert back to default - Unless your users are allowed to access their adapter settings, you'll have to reconfigure the protocols in the sec tab.

 

You could opt to disable a restrictive GP so they can fix it themselves, or remotely fix it for the user, granted your remote software allows for UAC access, it is time consuming.

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels