Windows 10 client VPN is buggy and unreliable. Constant change from PAP to CHAP in options on the adapter, and toggling the sign in method from General to User/Pass. Never ending source of frustration. There is literally no way to deploy multiple VPN connections across environment without using CMAK, and it is still a deprecated tool that is buggy on it's best days, and not flexible enough to even be considered an option.
The MX series is only able to use IKEv1 at the moment. Since AnyConnect uses IKEv2 for negotiating the VPN it's not possible to use it at the moment...I would also love to use it for my customers. As far as I know Meraki is working on IKEv2 for MX and AnyConnect afterwards.
We actually created a script to push out the VPN and settings to our Windows 10 users. Was very simple to do using PowerShell. No CMAK required 🙂
Add-VpnConnection -AllUserConnection -Name "[insert VPN name]" -ServerAddress [insert IP/hostname for VPN] -TunnelType L2tp -DNSSuffix "[insert domain name]" -EncryptionLevel Optional -AuthenticationMethod PAP -L2tpPsk "[insert VPN password]" -Force -PassThru
Shrewsoft does not show any updates since 2013? Can anyone actively using shrewsoft with an MX appliance enlighten us if it works and is secure? I feel with all the openvpn and openssh exploits in the last few years this is not a good thing on the part of shrewsoft.
You are using "-EncryptionLevel Optional". Does this mean the authentication is sent in cleartext? As per the guidelines in this document, it suggests you require encryption (seen in the images) whilst using PAP.
I too am trying to figure out how to deeply this VPN config.
July 2018 - this continues to be a major issue for some Windows 10 workstations every time there is a failed connect the client changes the connection properties (as noted from PAP to CHAP) and then when you correct that you have to go back and reset the login information. I too vote for a reliable VPN client for my Meraki MX64's.
I've put togther a similar set powershell scripts, which create the vpn connection, and (as needed) can also reset the configuration of the vpn connection.
ResetVPNConnection.ps1 Set-VpnConnection -Name "ConnectionName" -ServerAddress WAN Public IP -AuthenticationMethod Pap -DnsSuffix AD domain name -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential $true -TunnelType L2tp CreateVPNConnection.ps1 Add-VpnConnection -Name "Connection Name" -ServerAddress WANPublicIP -AuthenticationMethod Pap -DnsSuffix ADDSdomainName -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential -TunnelType L2tp -AllUserConnection Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -Type DWord
These scripts will do most of creation, but you'll still have to set certain things (like the user credentials, and such) manually. I've also found the DISABLING IPv6 on the VPN adapter also helps with vpn connectivity.