Meraki MX64 Windows 10 VPN setup resets

SOLVED
Tehsin
Here to help

Meraki MX64 Windows 10 VPN setup resets

Hello Fellows,

 

I have setup SD-WAN and Client VPN everything look ok.

 

Except for the thing that the settings for few of my workstations (Windows 10) resets everytime.

 

Either the authentication methods changes to general or PAP changes to CHAP.

 

Is there anyway to prevent this.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Try using my client VPN wizard to create a powershell script to configure the client.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

It uses the new VPNv2-CSP engine in Windows 10 (which is not accessible via the GUI) and the new engine is much more reliable.

View solution in original post

23 REPLIES 23
nealgs
Building a reputation

Hi Tehsin,,

 

this is a known problem unfortunately - issue is with Win10 and still hasn't been resolved after all this time.

 

There is a script around somewhere that helps - try a search for win 10 vpn client problems.

 

rgds

Gary

PhilipDAth
Kind of a big deal
Kind of a big deal

Try using my client VPN wizard to create a powershell script to configure the client.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html 

 

It uses the new VPNv2-CSP engine in Windows 10 (which is not accessible via the GUI) and the new engine is much more reliable.

How do i know if it is a split or full tunnel for VPN Client?

nealgs
Building a reputation

IIRC windows 10 client defaults to tunnel all.

 

in the script that PhilipDAth points to you can select tunnel type 🙂

 

rgds

Gary

I understand that I can choose the tunnel type...my confusion is which tunnel type do I choose?

Bruce
Kind of a big deal

Choosing full tunnel means all your traffic goes into the VPN to the head-end MX and then onwards from there, including internet traffic. Split tunnel generally means only the traffic heading to your internal networks goes into the VPN, any traffic going to the internet get sent directly, bypassing the VPN tunnel.

Lloydy
Conversationalist

i found the script at https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html to be great but hoping there is a powershell guru out there that could possible adjust the script to make it apply to all users rather then a single user profile as i need to be able to use the vpn at login screen.

PhilipDAth
Kind of a big deal
Kind of a big deal

It does apply to the all users profile (login in as a different user and you'll see).

 

The issue is Windows does not allow L2TP with PAP to be used before login.  Nothing that can be done about this.

 

Lloydy
Conversationalist

mmm okay, just if i manually create the vpn connection using the normal gui method and tick all user i do see it at login screen.  however that does not apply the split tunnel ect like your script does 😉

I will second the issues on not showing up for all users in Windows version 2004. We have quite a few computers where this script will work on some and on some it will give a "General error with no specific details has occurred" or it will only show up for the admin account that ran the script and not regular users - identical script. For those that the script successfully installs, it works perfectly. 

PhilipDAth
Kind of a big deal
Kind of a big deal

The script does use the newer VPNv2-CSP sub-system in Windows 10.  It's possible Microsoft might be introducing and fixing bugs in some releases.

 

I'm currently running the 20H2 release (build 19042.685) and can't reproduce any issues.  If in doubt, apply the current Windows feature pack.

Don't want to derail this thread too much - but I just setup a fleet of 20H2 devices (some upgraded, some fresh installs) and I am still seeing an issue where the script does not apply to all users-just the admin user the script is run as. Non-admin users cannot run the script. I am running the script in an elevated PowerShell session. 

PhilipDAth
Kind of a big deal
Kind of a big deal

I've had good look at the new VPVNv2 CSP options again.

https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp 

 

You can deploy the configuration to either "Device" or "User".  When I deploy them to "Device" it actually does it for the SYSTEM user.  No users see the settings.

You can deploy the settings to a specific user SID - but there is no SID for "All Users".

 

So it seems the new VPNv2 CSP engine can only deploy settings to a single specific user (because my script does not specify a SID it does it for the "current" user).

 

The WMI-Bridge documentation (which is used to access VPNv2 CSP) says it can only be accessed by someone with Administrator privileges.  It does not mention any finer grained permissions.

 

 

So it looks like Microsoft is envisaging the new world to be one where each device has a single user, and that the user has administrator privileges for that device, or least at the point in time the configuration is deployed to it.

 

 

This is the documentation for the "Configuration Service Provider" which is the new framework for deploying Windows 10 settings.  The same system is used for deploying settings to any managed device, including mobile.  It is one beast to rule them all.

https://docs.microsoft.com/en-us/windows/client-management/mdm/configuration-service-provider-refere... 

I'm no PowerShell expert but I've been looking into how to work around this - 

 

This old thread seems to have a solution - https://github.com/MicrosoftDocs/windowsserverdocs/issues/580

It says if you run the script as NT AUTHORITY\Local System you can pass the SID of the currently logged in user, so the user does not need to be a local admin to install the script. However the script itself needs to be run as Local System, which the thread suggests doing as a Scheduled Task in Windows.

 

I'm not a huge fan of trying to configure a one-off Scheduled Task and I imagine you could also have a script that just asks for the targeted username and translates that into an SID, or recursively installs for every SID present on the device. Perhaps the latter makes more sense.

 

If I make any progress on modifying your script to support this I'd be happy to pass it onto you - but you might be faster at making this change than myself.

PhilipDAth
Kind of a big deal
Kind of a big deal

I've updated the script now so that it now queries Win32_ComputerSystem to get the currently logged in user, extracts their SID, and creates the VPN profile under that account.

 

I've tested this running under the SYSTEM account and it works nicely.

Did you publish those changes to https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html or a public GitHub repository? This would be incredibly helpful...

 

I've been trying to test grabbing all SIDs using wmic and feeding that into a loop but I'm getting some weird behaviors.

PhilipDAth
Kind of a big deal
Kind of a big deal

They are published to the web site.

I can't get the VPN connection to install under the logged on user when running the script as an admin.  It only shows up under the admin's account.  How are you running it as System?  Using a deployment software, like PDQ Deploy?

 

Thanks,

 

First @PhilipDAth  thanks for the update! It is working pretty well. still working on a good way to script it to run as system via PowerShell with our tools.

 

@Duke_Nukem - You need to specifically run it under NT AUTHORITY\SYSTEM. An easy but hacky way to do this is with PsExec.exe 

 

  1. Copy PsExec.exe to the target computer
  2. In an administrative powershell, run the following command. This will not work in a standard admin powershell.

    ./PsExec.exe -s -i -accepteula powershell.exe
  3. In the new PowerShell window, paste the script contents. This windows is running as NT SYSTEM\AUTHORITY and not local admin

 

https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Foxo
Here to help

Oh, and as an FYI - in ConnectWise Automate Backstage and Automate script - it works because the tool runs as NT AUTHORITY\SYSTEM. We currently have access to this tool.

 

Any tool that runs as that service account will work fine. Getting it scripted when you have an environment with minimal automation tools is tough. 

Thanks!  And thanks to @PhilipDAth for the excellent script/webpage that makes it!  I was able to use our deployment software to push it to a few test machines as the System account.  That worked. 

 

Other questions, and sorry for my ignorance on some of these questions.  Been down so many search rabbit holes...

 

I'm trying to get Cisco Meraki support to change the Client VPN settings (AES128 and Group 14).  Just on our DR site's MX, for testing. 

When they make the change, will my current VPN client on Windows 10 (created with the CMAK) still connect, but just at a lower encryption?

In order to use the PCI compliant encryption, I would need to redeploy our VPN client, like the one I created using PhilipDAth's script?  Or can I somehow script the change in just the Cryptographic suite being used for the current VPN connection?

Lastly, do I need to have Cisco Meraki support turn off the lower encryption (3DES?) that is being used for the VPN client currently, to pass the PCI scans?  

 

Sorry for all the questions.  Just trying to get a handle on this, and trying not to have this blow up in my face.  

 

Thanks!

 

 

Alas, Windows 10 does not negotiate between its default settings and AES128/Group 14.  I've tried.  So when you get Meraki support to enable this stronger mode existing clients will not be able to connect until they get re-deployed.

>Lastly, do I need to have Cisco Meraki support turn off the lower encryption (3DES?) that is being used for the VPN client currently, to pass the PCI scans?

 

They can't.  They can only specify one setting.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels