Meraki

Community

Wish: VPN Client

ToddG2112
New here
‎Sep 28 2017 8:37 PM
‎Sep 28 2017 8:37 PM

Wish: VPN Client

Windows 10 client VPN is buggy and unreliable.  Constant change from PAP to CHAP in options on the adapter, and toggling the sign in method from General to User/Pass.  Never ending source of frustration.  There is literally no way to deploy multiple VPN connections across environment without using CMAK, and it is still a deprecated tool that is buggy on it's best days, and not flexible enough to even be considered an option.

21 Replies 21
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Sep 28 2017 8:55 PM
‎Sep 28 2017 8:55 PM

I wish somehow that the existing Cisco AnyConnect client could be made to work on the Meraki MX. The tricky bit is how to handle the certificate to allow this.

Perhaps allow people to setup a CNAME from their domain (vpn.company.com) to the MX dynamic DNS entry. Then Meraki could use a single wildcard certificate for every MX on the planet.
In response to PhilipDAth
MilesMeraki
Head in the Cloud
‎Sep 29 2017 2:01 PM
‎Sep 29 2017 2:01 PM

It's been said for a while that they are trying in integrate the Cisco Any-connect client into the Meraki portfolio. I could imagine this issue is costing them quite a few wins so I assume it'll be soon to be released.
Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
MijanurRahman
Getting noticed
‎Sep 29 2017 1:07 AM
‎Sep 29 2017 1:07 AM

Did you try with OPENVPN client? It's an open-source & community driven client supports L2TP/IPSec. It also have VPN server capability but you can shutdown the service.
0 Kudos
Samir
Here to help
‎Oct 7 2017 5:37 PM
‎Oct 7 2017 5:37 PM

I haven't used it yet myself, but I've heard the shrewsoft client is quite nice and robust. I'd give that a shot vs waiting on anyconnect.
0 Kudos
In response to Samir
RichH
Here to help
‎Nov 9 2017 1:31 PM
‎Nov 9 2017 1:31 PM

Shrewsoft does not show any updates since 2013?  Can anyone actively using shrewsoft with an MX appliance enlighten us if it works and is secure?  I feel with all the openvpn and openssh exploits in the last few years this is not a good thing on the part of shrewsoft.

0 Kudos
DenisJaworski
Here to help
‎Oct 19 2017 5:26 AM
‎Oct 19 2017 5:26 AM

The MX series is only able to use IKEv1 at the moment. Since AnyConnect uses IKEv2 for negotiating the VPN it's not possible to use it at the moment...I would also love to use it for my customers. As far as I know Meraki is working on IKEv2 for MX and AnyConnect afterwards.

Mr_IT_Guy
A model citizen
‎Oct 19 2017 6:19 AM
‎Oct 19 2017 6:19 AM

We actually created a script to push out the VPN and settings to our Windows 10 users. Was very simple to do using PowerShell. No CMAK required 🙂 

Add-VpnConnection -AllUserConnection -Name "[insert VPN name]" -ServerAddress [insert IP/hostname for VPN] -TunnelType L2tp -DNSSuffix "[insert domain name]" -EncryptionLevel Optional -AuthenticationMethod PAP -L2tpPsk "[insert VPN password]" -Force -PassThru
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 19 2017 11:30 AM
‎Oct 19 2017 11:30 AM

@Mr_IT_Guy that is excellent!

0 Kudos
In response to Mr_IT_Guy
jsilvius
Here to help
‎Jan 9 2018 5:30 PM
‎Jan 9 2018 5:30 PM

Just wish this worked with Windows 7. My company isn't ready to move to windows 10 yet.
0 Kudos
In response to jsilvius
Mr_IT_Guy
A model citizen
‎Jan 10 2018 9:17 AM
‎Jan 10 2018 9:17 AM

You can use CMAK to configure this on Win 7. The only problem is that once you've configured the file and install it on the end user computer, you cannot go back and change some settings in the created VPN. Instead you would have to create a new install file, remove the old VPN, and install the new.
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
In response to Mr_IT_Guy
jsilvius
Here to help
‎Jan 10 2018 9:26 AM
‎Jan 10 2018 9:26 AM

Thanks, I'll look into it.

0 Kudos
In response to Mr_IT_Guy
Fabo
Conversationalist
‎Mar 23 2018 9:14 PM
‎Mar 23 2018 9:14 PM

You are using "-EncryptionLevel Optional". Does this mean the authentication is sent in cleartext? As per the guidelines in this document, it suggests you require encryption (seen in the images) whilst using PAP. 

 

I too am trying to figure out how to deeply this VPN config.

0 Kudos
In response to Fabo
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 23 2018 9:17 PM
‎Mar 23 2018 9:17 PM

IPSec is bought up first, and then L2TP runs over that.  Everything is encrypted.

In response to PhilipDAth
Fabo
Conversationalist
‎Mar 23 2018 9:19 PM
‎Mar 23 2018 9:19 PM

Thanks mate, I was a little worried about that!

0 Kudos
In response to Mr_IT_Guy
BeckerIT
Here to help
‎Jan 3 2019 11:54 AM
‎Jan 3 2019 11:54 AM

I've put togther a similar set powershell scripts,  which create the vpn connection, and (as needed) can also reset the configuration of the vpn connection.

0 Kudos
In response to BeckerIT
Damien-A
New here
‎Apr 25 2019 1:33 PM
‎Apr 25 2019 1:33 PM

@BeckerIT Care to share that script?

0 Kudos
In response to Damien-A
BeckerIT
Here to help
‎Apr 26 2019 7:07 AM
‎Apr 26 2019 7:07 AM

Sure, 

ResetVPNConnection.ps1
Set-VpnConnection -Name "ConnectionName" -ServerAddress WAN Public IP -AuthenticationMethod Pap -DnsSuffix AD domain name -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential $true -TunnelType L2tp

CreateVPNConnection.ps1
Add-VpnConnection -Name "Connection Name" -ServerAddress WANPublicIP -AuthenticationMethod Pap -DnsSuffix ADDSdomainName -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential -TunnelType L2tp -AllUserConnection
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -Type DWord

These scripts will do most of creation, but you'll still have to set certain things (like the user credentials, and such) manually. I've also found the DISABLING IPv6 on the VPN adapter also helps with vpn connectivity. 

In response to BeckerIT
cwal21
Getting noticed
‎May 21 2019 11:39 AM
‎May 21 2019 11:39 AM

@BeckerIT Thanks for sharing!

0 Kudos
Bovie2K
Getting noticed
‎Nov 25 2017 3:37 PM
‎Nov 25 2017 3:37 PM

I too would love for AnyConnect to come to MX.

spandorf55
New here
‎Jul 13 2018 6:42 AM
‎Jul 13 2018 6:42 AM

July 2018 - this continues to be a major issue for some Windows 10 workstations every time there is a failed connect the client changes the connection properties (as noted from PAP to CHAP) and then when you correct that you have to go back and reset the login information.  I too vote for a reliable VPN client for my Meraki MX64's.

 

Scott

PreCookedPit
New here
‎Feb 4 2021 3:30 AM
‎Feb 4 2021 3:30 AM

I had the same issue with a Meraki MX64 today. I deauthorized and reauthorized the user from the dashboard and my problem was solved. I hope this helps.

0 Kudos
Back to the top
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.