[Question] - How to deploy Client-VPN, L2TP+PSK? CMAK? GPO?

e39_540i
Getting noticed

[Question] - How to deploy Client-VPN, L2TP+PSK? CMAK? GPO?

I've done a quick search and it seems this question has yet to be truly answered. I need to deploy the Meraki Client VPN solution. Our current configuration is with the PSK but if there's a better method for authenticating the user/machine (certificate?) I'm all ears.

 

I need to outline a clear plan before doing so but even Microsoft's documentation on CMAK doesn't indicate a field to define the PSK. I didn't read thoroughly enough. It looks like they do talk about the PSK but it isn't recommended. https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd...

 

How is everyone else deploying this solution?

Forgot to mention I have all Windows 10 endpoints.

 

Thanks!

5 REPLIES 5
dalmiroy2k
Getting noticed

You can use Active Directory validation or, if you have system manager licences, Systems Manager Sentry VPN security validation.

 

https://n129.meraki.com/manage/support?search_term=4057

Yeah, unfortunately we're not using SM.. we're using Microsoft's Intune MDM solution.

I should note that we are already using RADIUS for authentication. The piece that's missing here is the ability to deploy the VPN connection either with the PSK already defined so that information does not need to be disseminated to the user, OR use a certificate in place of PSK. I've always used PSK so configuring the VPN connection to use a certificate would be new to me.

Lastly would be the mass deployment part. I have a number of users who require the use of the VPN and configuring this on an individual basis would be cumbersome and inefficient. I believe it can be done through GPO but not 100% sure on that. I just want to get an idea for how others out there deploy the Client VPN solution to their users.

Windows GPO can be used to push out a VPN template, but not a PSK.  The only way to deploy this at scale and not lose your mind is to use certificates.

 

Once an auto-enrolling certificate template exists in AD, a separate GPO would be used to auto-enroll your users using that certificate template.  That user certificate would then be referenced in the VPN profile.

PhilipDAth
Kind of a big deal
Kind of a big deal

CMAK is the most comprehensive, but the most painfull to initially setup.

 

Powershell is half way in between.  Quick to setup, and you can just run the script on Windows 10 machines.

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

 

I tend to use Powershell.

CloudViking86
Here to help

Just wanted to reference to this "UserVoice" idea which is that Intune should support configuring VPN w. L2TP-PSK / PAP;
https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/41712955-enhanced-l2tp-configu...


Please upvote that if you are using Intune and want to easier be able to manage MerakiVPN.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels