Client vpn setting issues with windows 10 and 11

WCS-Alan
Here to help

Client vpn setting issues with windows 10 and 11

We installed an MX250 last weekend and all is well except client vpn. I followed the instructions in this article https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Windows_10

 

And on one win10 computer, if I set up the vpn connection with user/password then go to the vpn connection and set the required settings, it changes the vpn properties back to General authentication method, then fails when I try to connect. 

On a Win11 computer I can get the settings set properly, and connect once, then when I disconnect, one setting or the other changes.

2022-04-22 08_31_34-Settings.png2022-04-22 08_45_58-Network Connections.png

 

Has anyone seen this and have a fix?

11 REPLIES 11
alemabrahao
Kind of a big deal
Kind of a big deal

@WCS-Alan You can find Powershell scripts to configure the client VPN connection here:

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

Take a look over some of the common troubleshooting techniques for issues you are going to run into:

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
WCS-Alan
Here to help

Thanks for that. I can get connected, but when I disconnect one of the settings changes on the client, then I have to go back and set it again, save it. then I can connect again.

So far it is fairly consistent with the win10 computers I have tried. Is there a way to get the settings set so they don't change on their own?

I am unaware of this situation, once the L2TP connection is configured it should remain unchanged.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

I agree, it should... but it isn't in our case for whatever reason....

 

Brash
Kind of a big deal
Kind of a big deal

Are these domain joined computers?

Do you have VPN configuration settings pushed via group policy or something similar that is overriding your manual configuration?

They are domain joined, but there isn't a policy for vpn configurations.

OVERKILL
Building a reputation

Any reason you aren't using AnyConnect? 

I am working towards that. Just trying to get folks connected quickly, then will work on Anyconnect.

 

OVERKILL
Building a reputation

Ahhh, OK, was wondering. I found the Windows client to be more of a pain than it was worth so as soon as I could switch sites to AnyConnect, I did. I expect you'll find the same. 

GIdenJoe
Kind of a big deal
Kind of a big deal

I believe Windows just shows it as general authentication in the GUI, but in essence it is still the same like you have saved it.

If you want to see what is actually under the hood you need to use some Powershell:

Get-VpnConnection -ConnectionName "nameofyourVPN" and check if all the fields are correct.

If you are using split tunnel like you should you can get your routes like this:
(Get-VpnConnection -ConnectionName "nameofyourVPN").Routes

Make sure you have the correct pre shared key and you are using Pap and optional or noencryption as encryption parameter.

AIOtech
Conversationalist

If you have access to CMAK i'd suggest using that to build your client VPN.  It's been a while since I used CMAK and set ours up, but after configuring with CMAK you'll get a VPN client exe.  Then you can just double click on it to install on machines, or roll it out however you prefer.  Yes it's old, but still works great.  We are using Radius L2TP/IPSEC with our MX for the windows client VPN.  Here's more info on it: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc...

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels