Meraki VPN Client ?

sstefan
Conversationalist

Meraki VPN Client ?

Hello (sorry, new to the MX) 🙂

Is there a Meraki VPN Client or is this the best/only way to have a PC connect to an MX for client VPN service ?  https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration  

 

Also, does not look like the Cisco AnyConnect client can be used according to this post, but, want to confirm this is still the case:  https://community.meraki.com/t5/Security-SD-WAN/Wish-VPN-Client/m-p/2428#M600

 

thanks for the help

12 REPLIES 12
WadeAlsup
A model citizen

Hi @sstefan

 

You are correct. There is no corresponding VPN application/software needed for Meraki Client VPN. Cisco AnyConnect is not compatible with Meraki Client VPN. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
PhilipDAth
Kind of a big deal
Kind of a big deal

 One of my biggest problems with using the built in L2TP over IPSec client in Windows (which is what you need to use for the user to site VPN client) was the pain in setting up the clients.  That was until I found this one line piece of Powershell.  Now the setting up of the user machines is simple.

 

Add-VpnConnection -AllUserConnection -Name "[insert VPN name]" -ServerAddress [insert IP/hostname for VPN] -TunnelType L2tp -DNSSuffix "[insert domain name]" -EncryptionLevel Optional -AuthenticationMethod PAP -L2tpPsk "[insert VPN password]" -Force -PassThru

@PhilipDAth, I use the same. Don't remember where I found it...maybe from you? 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂

I can't take the credit.  Someone else posted it here.

It was me
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

I'm new to the MX and trying to setup Client VPN for the 1st time.  Not enjoying it!  🙂

 

In your Powershell script, can someone explain what gets put into the DNSSuffix "[insert domain name]" field?

I'm currently attempting to use the Meraki Cloud user authentication.  


Could someone perhaps provide an example?

That is usually your Active Directory domain name.  In your case, leave that whole option out.

 

Add-VpnConnection -AllUserConnection -Name "[insert VPN name]" -ServerAddress [insert IP/hostname for VPN] -TunnelType L2tp  -EncryptionLevel Optional -AuthenticationMethod PAP -L2tpPsk "[insert VPN password]" -Force -PassThru

Thanks!  I plan on AD but figured I'd attempt the standard Meraki Cloud authentication first, as it theoretically eliminates a potential source of troubleshooting. 

 

Nope.  Even after your handy script, Windows 10 error 789 on every connection attempt.

 

The Meraki has a static, public IP connected directly to a cable modem (Time Warner/Spectrum).

 

PC is simply behind a standard household router.

 

This doesn't bode well.  I've been using Sophos for some time, who customizes their client software based upon OpenVPN.  It always just works.

Are you using the DNS address to connect or the IP address? Do you have any other 3rd party VPN software installed?

 

You may want to check out this article here: https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789

 

See below:

Windows Error 789

2b67656b-f4d8-4355-bc70-4a44a3f3850f

Example event log entries:

Jul 2 13:53:20 VPN msg: invalid DH group 19.
Jul 2 13:53:20 VPN msg: invalid DH group 20.

 

This issue may also result in no event log messages, if the client's traffic doesn't successfully reach the MX's WAN interface.

Possible causes and solutions:

  • Incorrect secret key (pre-shared key in Windows)
    Solution: Ensure that the shared secret is configured correctly on the client machine. It must match between the MX and the client. More information about setting the shared secret can be found in the links at the top of the page.
  • Firewall blocking VPN traffic to MX
    Solution: Ensure UDP ports 500 (IKE) and 4500 (IPsec NAT-T) are being forwarded to the MX and not blocked. If traffic cannot reach the MX on these ports, the connection will timeout and fail.
  • IKE and AuthIP IPsec Keying Modules disabled (Windows only)
    Solution: This occurs most often when 3rd party VPN software has been installed and disables the IKEEXT service. This can be re-enabled by navigating in Windows to Control Panel > Administrative Tools > Services. Find the service named "IKE and AuthIP IPsec Keying Modules" and open it. Change the Startup type to "Automatic". If this automatically reverts to "Disabled" or fails to start, it may be necessary to remove the 3rd party VPN software:
    0c0475d2-82a7-4b3e-8e5d-5a58f5625304

Thanks!

I actually got it to work. I'm not entirely certain of the culprit, but I have suspicions. Before I put it in production, I had the Meraki WAN on a Cable modem connection with a Dynamic IP. I could ping the dynamic IP, and the Meraki hostname, but the VPN failed. Once I moved it to a different WAN connection w/ static IP it works. The script above is a thing of beauty. Adds the VPN, user types in credentials, and it seems to just work. I've only tested on a couple of machines, but worked straight away ever since I changed the WAN link. Could be that TWC/Spectrum has some filtering on DHCP modems that they don't on static IP modems? Not sure, but so far, so good.

I get the following errrors when trying to use the script.  I manually started powershell using administrator level.  I am also using a domain and local admin account on this PC:

 

WARNING: The currently selected encryption level requires EAP or MS-CHAPv2 logon security methods. Data encryption will
 not occur for Pap or Chap.
Add-VpnConnection :  VPN connection SHG_VPN cannot be added to the global user connections. : Access is denied.
At line:1 char:1
+ Add-VpnConnection -AllUserConnection -Name "SHG_VPN" -ServerAddress 2 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (SHG_VPN:root/Microsoft/...S_VpnConnection) [Add-VpnConnection], CimEx
   ception
    + FullyQualifiedErrorId : WIN32 5,Add-VpnConnection

Zane D - IT Manager in Sin City NV


@PaulRusso wrote:

Are you using the DNS address to connect or the IP address? Do you have any other 3rd party VPN software installed?

 

You may want to check out this article here: https://documentation.meraki.com/MX-Z/Client_VPN/troubleshooting_essay_client_VPN#Windows_Error_789

See below:

Windows Error 789

2b67656b-f4d8-4355-bc70-4a44a3f3850f

Example event log entries:

Jul 2 13:53:20 VPN msg: invalid DH group 19.
Jul 2 13:53:20 VPN msg: invalid DH group 20.

 

This issue may also result in no event log messages, if the client's traffic doesn't successfully reach the MX's WAN interface.

Possible causes and solutions:

  • Incorrect secret key (pre-shared key in Windows)
    Solution: Ensure that the shared secret is configured correctly on the client machine. It must match between the MX and the client. More information about setting the shared secret can be found in the links at the top of the page.
  • Firewall blocking VPN traffic to MX
    Solution: Ensure UDP ports 500 (IKE) and 4500 (IPsec NAT-T) are being forwarded to the MX and not blocked. If traffic cannot reach the MX on these ports, the connection will timeout and fail.
  • IKE and AuthIP IPsec Keying Modules disabled (Windows only)
    Solution: This occurs most often when 3rd party VPN software has been installed and disables the IKEEXT service. This can be re-enabled by navigating in Windows to Control Panel > Administrative Tools > Services. Find the service named "IKE and AuthIP IPsec Keying Modules" and open it. Change the Startup type to "Automatic". If this automatically reverts to "Disabled" or fails to start, it may be necessary to remove the 3rd party VPN software:
    0c0475d2-82a7-4b3e-8e5d-5a58f5625304

 

Hello Paul,

 

I'm also getting error 789. I removed the 3rd party VPN. Should I also switch the DNS server? Is it possible that the firewall may block the VPN traffic to the Meraki MX appliance?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels