Meraki client vpn from domain joined windows computer

SOLVED
eritho
Here to help

Meraki client vpn from domain joined windows computer

We are experiencing a strange issue when trying to connect to Meraki MX 100 from a windows 10 computer. If we set up the L2TP with IPsec and pre-shared key connection before joining the computer to our domain it works both before and after joining. But if we join our windows domain before configuring the L2TP with IPsec and pre-shared key it does not work. The error message in event viewer is error 766. Some how we also get a error message saying something about a certificate but we are using PSK. It seem that somehow joining the domain breaks the ability to use PSK. Has anyone experienced anything like that or can point me in the right direction of where to look?

1 ACCEPTED SOLUTION

As i suspected it was a gpo-related issue. In our default domain policy we set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
   Value Name: DisableSavePassword
   Value Type: REG_DWORD
   Value Data: 1

Changing Value Data to 0 fixed the issue. This stopped windows from remembering the pre-shared key.

 

Regards,

 

Thomas

View solution in original post

4 REPLIES 4
DCooper
Meraki Alumni (Retired)
Meraki Alumni (Retired)

It has something to do with the security settings that are most likely changed via GP when you add the device to the domain. You can fix that.. or.. You can either follow the document below, make sure PAP only is checked and re-enter the PSK ,those are the most common issues.

 

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_OS_Configuration

If the PSK and PAP only don't work use the link to re-create the profile.

Thank you for your reply DCooper.

 

We have recreated the vpn connection according to the documentation over and over again. The only thing that makes a difference is to create the vpn connection before joining the domain.

 

We also suspect that there is a gpo or something like that that messes things up for us but the thing is that we don´t do much via gpo and nothing with regards to psk / certificates. Do you know of some default settings regarding domains that we should be aware of?

As i suspected it was a gpo-related issue. In our default domain policy we set:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
   Value Name: DisableSavePassword
   Value Type: REG_DWORD
   Value Data: 1

Changing Value Data to 0 fixed the issue. This stopped windows from remembering the pre-shared key.

 

Regards,

 

Thomas

Jono
Just browsing

I was having issues connecting both win7 and win10 clients when behind a NAT.  I have confirmed that the native L2TP/IPSec windows supplicant will work after applying the following registry edit, found here.

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\

New DWORD (32-bit) Value:AssumeUDPEncapsulationContextOnSendRule 
Set the value to 2

Reboot and retest, you should be good to go! 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels