Will ClientVPN / L2TP be deprecated ?

RaphaelL
Kind of a big deal
Kind of a big deal

Will ClientVPN / L2TP be deprecated ?

Hi ,

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

Android has already deprecated L2TP. ChromeOS will be Android in the near future. Microsoft has depecrecated L2TP for Servers.

So the future of L2TP is uncertain. 

 

 

Will Meraki continu to support L2TP in the next versions ?

Will Meraki offer other alternatives ?

 

I'm aware of AnyConnect/SecureConnect.

 

As a large customer , migrating all our ClientVPN to an alternative ( SecureConnect or else ) does take a while. To be aware of this sunset is crucial.

12 Replies 12
alemabrahao
Kind of a big deal
Kind of a big deal

You can use Smart VPN Client. 😄

 

https://www.draytek.com/products/smart-vpn-client/

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

Here is a question.  Does the Draytek SmartVPN Client actually implement the entire IPSec and L2TP stack itself, or is it a GUI that uses the underlying capabilities of the OS.

 

If it relies on the OS to provide L2TP and IPSec, then it also would be affected by Microsoft deprecating L2TP.

alemabrahao
Kind of a big deal
Kind of a big deal

Greate question. 🤔

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

From what I've read and understood, for L2TP/IPsec, it depends on the VPN stack of the underlying operating system, especially on Windows, so I believe it will be a problem. 😕

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
pdeleuw
Building a reputation

The question is: Why L2TP? L2TP on it's own is useless, because there is no encryption. Therefore L2TP is combined with IPsec. Namely IPsec with IKEv1. IKEv1 was not designed for remote access. IKEv1 does not offer user authentication, it does not offer IP configuration. That's where L2TP comes into play. L2TP uses PPP, PPP brings user authentication and IPCP (IP configuration). The other way was to use proprietary extensions like XAUTH and Mode_config.

IKEv1 is old, IKEv2 is the more modern version, it comes with native user authentication and config mode. So the alternative is using IKEv2 instead of IKEv1, there is no need of L2TP. This is the way the Secure Client works.

Indeed, Cisco could support IKEv2 with OS-native clients. But what is the future of the MX? The future brings the Catalyst 8000 series router. I think they will superseed the MX. The Catalyst 8000 will come with Flex VPN and SSL VPN support 

alemabrahao
Kind of a big deal
Kind of a big deal

Why don't many customers want to pay for an Anyconnect license?

For me, a simple and inexpensive solution is to use Strongswan.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

I am aldso a big StrongSwan fan.  I often use it for site to site VPNs.

PhilipDAth
Kind of a big deal
Kind of a big deal

Instead of answering your question, I'm going to ignore it and ramble.

 

We've already moved most of our clients to Cisco Secure Client/Anyconnect.

We have small clients with five people to very large clients.  One of the "issues" is that the minimum purchase quantity for Secure Client is 25 licences.

 

I like the Secure Client cloud management platform.  I like being able to push out client updates.  I like being able to push out config changes.  Are you replacing a VPN head end and want everyone to connect to a different FQDN, no problem.  I like that you can create profiles, like "Production" and "Pilot", and dynamically move machines between them to test changes before rolling them out.  I like that you can push out new modules, like Umbrella, with just a few mouse clicks.  I like the inventory data and reporting that comes back.

And I like that this platform is free.  I don't like that it is hard to get it set up for a new client.

https://secure-client.apjc.security.cisco.com/

 

My world was good.  Then SecureConnect came along.

SecureConnect on the "Cisco Secure Connect Complete Essentials" plans gives you access to ipsec "Tunnels".  I have not tested this feature yet to a public cloud provider.

You can build IPSec tunnels to clouds like AWS and Azure.  This means you don't need to use a VMX, or pay the cloud hosting fee.

I'm currently conducting a pricing exercise.  If you could obtain SecureConnect for the same price or less than two VMX (and their associated cloud hosting costs) - would you?  This path sounds simpler.

https://docs.umbrella.com/umbrella-user-guide/docs/manage-tunnels

 

Delving sideways; it was pre-pade wizards to help you create site to site IPSec VPNs to lots of different kinds of devices.  The MX platform is not great with its site to site IPSec support.

PhilipDAth_0-1755546868408.png

 

It has lots of documentation showing how to create the config on the other end.

https://docs.umbrella.com/umbrella-user-guide/docs/tunnels

PhilipDAth_1-1755547846925.png

 

Also, as a bonus, you also get Umbrella with "Cisco Secure Connect Complete".  If a customer is already using Umbrella, this makes migrating them into SecureConnect even more compelling.

 

The Secure Client management isn't as comprehensive as the Secure Client cloud management platform.   The cloud management platform lets you update clients BEFORE they connect, or even run the client.  A user can turn on their machine, and the cloud platform will update their software and settings automatically.

 

SecureConnect is based more on the traditional AnyConnect approach, where the client receives updates while connecting.  Same as with an MX/ASA/Firepower/SecureFirewall.

However, it still allows you to perform many of the configuration tasks.

 

Another bonus with SecureConnect is that the minimum purchase quantity is (I believe) 1 - not 25.  I have already sold one licence for 5 users.

 

SecureConnect also gets you access to global head ends.  Do you have users who travel around the world?  SecureConnect (by default, unless you change it) connects them to the nearest head end (in Cisco's cloud).

 

If you use SecureConnect to connect up your public clouds and your users, you can then use the cloud firewall built in to control who can talk to what.  It also has excellent logging and auditing.  You can see every single flow.  If you make sure all your users have SecureClient installed, you can even great rules based on username or group rather than IP address.

 

Did I mention it can also integrate with your users in Entra ID/Active Directory?

 

Did I mention that it can also perform posture assessments?

 

So my torture I keep thinking about;

  • If a client wants a remote access client VPN, and access to servers in a public cloud, when does it become cheaper to sell them SecureConnect (as opposed to VMX+cloud hosting cost)?  Forget all the other features.
  • Even if a client just wants access to their public clouds, is SecureConnect a better solution to provide that connectivity using it's network tunnel support, especially with regard to HA.
  • Currently, I use a virtual appliance (like a vASA or StrongSwan) for customers with complex IPSec site-to-site VPNs.  Would this be an alternative solution?
  • With SecureConnect having native EntraID support - is this a better fit for my customers that are 100% cloud native.
  • Creating firewall rules for customers using a VMX in a public cloud is a bit of a pain.  Do you do them in the public cloud?  Do you use the Meraki organisation VPN rules?  The SecureConnect cloud firewall would be a great place to centralise those rules, and the logging and auditing are amazing.  And being able to create rules based on username or group is fabulous.  Should I just be moving across to this approach because of the awesome visibility and capabilities?

 

So I take your question about L2TP and I raise you an entirely different approach.

ConnorL
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star

FWIW, the best person/team to ask about feature roadmap/enhancement/deprecation etc is your account manager. I (in Support) haven't heard anything about Client VPN being deprecated.

RaphaelL
Kind of a big deal
Kind of a big deal

Will do. 

 

I was only testing the waters incase someone from the MX team finds my thread 😅

BlakeRichardson
Kind of a big deal
Kind of a big deal

I have wondered this as well, I use client VPN at home but for business purposes I'm using IPsec with a different firewall vendor. 

 

I 100% agree that minimum licenses quantities are a huge obstacle for small businesses. The minimum being 25 is way to high IMO and this seems to be a industry figure as I have seen it with tons of other vendors i.e. software, MDM, security vendors etc. 

 

I think a minimum of 5 is a much better figure.

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
Brash
Kind of a big deal
Kind of a big deal

I honestly kind of wish the industry as a whole would get rid of L2TP client VPN.

It seems to be this half-supported technology that some companies have phased out and others have left but don't really pay too much attention to.

^ Not just speaking of Meraki on this on - I'm finding other vendors have unofficially given up on it.

Get notified when there are additional replies to this discussion.