Wish: VPN Client

ToddG2112
New here

Wish: VPN Client

Windows 10 client VPN is buggy and unreliable.  Constant change from PAP to CHAP in options on the adapter, and toggling the sign in method from General to User/Pass.  Never ending source of frustration.  There is literally no way to deploy multiple VPN connections across environment without using CMAK, and it is still a deprecated tool that is buggy on it's best days, and not flexible enough to even be considered an option.

21 REPLIES 21
PhilipDAth
Kind of a big deal

I wish somehow that the existing Cisco AnyConnect client could be made to work on the Meraki MX. The tricky bit is how to handle the certificate to allow this.

Perhaps allow people to setup a CNAME from their domain (vpn.company.com) to the MX dynamic DNS entry. Then Meraki could use a single wildcard certificate for every MX on the planet.

It's been said for a while that they are trying in integrate the Cisco Any-connect client into the Meraki portfolio. I could imagine this issue is costing them quite a few wins so I assume it'll be soon to be released.
Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
MijanurRahman
Getting noticed

Did you try with OPENVPN client? It's an open-source & community driven client supports L2TP/IPSec. It also have VPN server capability but you can shutdown the service.
Samir
Here to help

I haven't used it yet myself, but I've heard the shrewsoft client is quite nice and robust. I'd give that a shot vs waiting on anyconnect.

Shrewsoft does not show any updates since 2013?  Can anyone actively using shrewsoft with an MX appliance enlighten us if it works and is secure?  I feel with all the openvpn and openssh exploits in the last few years this is not a good thing on the part of shrewsoft.

DenisJaworski
Here to help

The MX series is only able to use IKEv1 at the moment. Since AnyConnect uses IKEv2 for negotiating the VPN it's not possible to use it at the moment...I would also love to use it for my customers. As far as I know Meraki is working on IKEv2 for MX and AnyConnect afterwards.

Mr_IT_Guy
A model citizen

We actually created a script to push out the VPN and settings to our Windows 10 users. Was very simple to do using PowerShell. No CMAK required 🙂 

Add-VpnConnection -AllUserConnection -Name "[insert VPN name]" -ServerAddress [insert IP/hostname for VPN] -TunnelType L2tp -DNSSuffix "[insert domain name]" -EncryptionLevel Optional -AuthenticationMethod PAP -L2tpPsk "[insert VPN password]" -Force -PassThru
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

@Mr_IT_Guy that is excellent!

Just wish this worked with Windows 7. My company isn't ready to move to windows 10 yet.

You can use CMAK to configure this on Win 7. The only problem is that once you've configured the file and install it on the end user computer, you cannot go back and change some settings in the created VPN. Instead you would have to create a new install file, remove the old VPN, and install the new.
Found this helpful? Give me some Kudos! (click on the little up-arrow below)

Thanks, I'll look into it.

Fabo
Conversationalist

You are using "-EncryptionLevel Optional". Does this mean the authentication is sent in cleartext? As per the guidelines in this document, it suggests you require encryption (seen in the images) whilst using PAP. 

 

I too am trying to figure out how to deeply this VPN config.

PhilipDAth
Kind of a big deal

IPSec is bought up first, and then L2TP runs over that.  Everything is encrypted.

Fabo
Conversationalist

Thanks mate, I was a little worried about that!

I've put togther a similar set powershell scripts,  which create the vpn connection, and (as needed) can also reset the configuration of the vpn connection.

@BeckerIT Care to share that script?

Sure, 

ResetVPNConnection.ps1
Set-VpnConnection -Name "ConnectionName" -ServerAddress WAN Public IP -AuthenticationMethod Pap -DnsSuffix AD domain name -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential $true -TunnelType L2tp

CreateVPNConnection.ps1
Add-VpnConnection -Name "Connection Name" -ServerAddress WANPublicIP -AuthenticationMethod Pap -DnsSuffix ADDSdomainName -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential -TunnelType L2tp -AllUserConnection
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -Type DWord

These scripts will do most of creation, but you'll still have to set certain things (like the user credentials, and such) manually. I've also found the DISABLING IPv6 on the VPN adapter also helps with vpn connectivity. 

@BeckerIT Thanks for sharing!

Bovie2K
Getting noticed

I too would love for AnyConnect to come to MX.

spandorf55
New here

July 2018 - this continues to be a major issue for some Windows 10 workstations every time there is a failed connect the client changes the connection properties (as noted from PAP to CHAP) and then when you correct that you have to go back and reset the login information.  I too vote for a reliable VPN client for my Meraki MX64's.

 

Scott

PreCookedPit
New here

I had the same issue with a Meraki MX64 today. I deauthorized and reauthorized the user from the dashboard and my problem was solved. I hope this helps.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels