cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Wish: VPN Client

New here

Wish: VPN Client

Windows 10 client VPN is buggy and unreliable.  Constant change from PAP to CHAP in options on the adapter, and toggling the sign in method from General to User/Pass.  Never ending source of frustration.  There is literally no way to deploy multiple VPN connections across environment without using CMAK, and it is still a deprecated tool that is buggy on it's best days, and not flexible enough to even be considered an option.

20 REPLIES 20
Kind of a big deal

Re: Wish: VPN Client

I wish somehow that the existing Cisco AnyConnect client could be made to work on the Meraki MX. The tricky bit is how to handle the certificate to allow this.

Perhaps allow people to setup a CNAME from their domain (vpn.company.com) to the MX dynamic DNS entry. Then Meraki could use a single wildcard certificate for every MX on the planet.
Head in the Cloud

Re: Wish: VPN Client

It's been said for a while that they are trying in integrate the Cisco Any-connect client into the Meraki portfolio. I could imagine this issue is costing them quite a few wins so I assume it'll be soon to be released.
Eliot F | Simplifying IT with Cloud Solutions
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Getting noticed

Re: Wish: VPN Client

Did you try with OPENVPN client? It's an open-source & community driven client supports L2TP/IPSec. It also have VPN server capability but you can shutdown the service.
Here to help

Re: Wish: VPN Client

I haven't used it yet myself, but I've heard the shrewsoft client is quite nice and robust. I'd give that a shot vs waiting on anyconnect.
Comes here often

Re: Wish: VPN Client

Shrewsoft does not show any updates since 2013?  Can anyone actively using shrewsoft with an MX appliance enlighten us if it works and is secure?  I feel with all the openvpn and openssh exploits in the last few years this is not a good thing on the part of shrewsoft.

Here to help

Re: Wish: VPN Client

The MX series is only able to use IKEv1 at the moment. Since AnyConnect uses IKEv2 for negotiating the VPN it's not possible to use it at the moment...I would also love to use it for my customers. As far as I know Meraki is working on IKEv2 for MX and AnyConnect afterwards.

A model citizen

Re: Wish: VPN Client

We actually created a script to push out the VPN and settings to our Windows 10 users. Was very simple to do using PowerShell. No CMAK required 🙂 

Add-VpnConnection -AllUserConnection -Name "[insert VPN name]" -ServerAddress [insert IP/hostname for VPN] -TunnelType L2tp -DNSSuffix "[insert domain name]" -EncryptionLevel Optional -AuthenticationMethod PAP -L2tpPsk "[insert VPN password]" -Force -PassThru
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Kind of a big deal

Re: Wish: VPN Client

@Mr_IT_Guy that is excellent!

Here to help

Re: Wish: VPN Client

Just wish this worked with Windows 7. My company isn't ready to move to windows 10 yet.
A model citizen

Re: Wish: VPN Client

You can use CMAK to configure this on Win 7. The only problem is that once you've configured the file and install it on the end user computer, you cannot go back and change some settings in the created VPN. Instead you would have to create a new install file, remove the old VPN, and install the new.
Found this helpful? Give me some Kudos! (click on the little up-arrow below)
Here to help

Re: Wish: VPN Client

Thanks, I'll look into it.

Conversationalist

Re: Wish: VPN Client

You are using "-EncryptionLevel Optional". Does this mean the authentication is sent in cleartext? As per the guidelines in this document, it suggests you require encryption (seen in the images) whilst using PAP. 

 

I too am trying to figure out how to deeply this VPN config.

Kind of a big deal

Re: Wish: VPN Client

IPSec is bought up first, and then L2TP runs over that.  Everything is encrypted.

Conversationalist

Re: Wish: VPN Client

Thanks mate, I was a little worried about that!

Here to help

Re: Wish: VPN Client

I've put togther a similar set powershell scripts,  which create the vpn connection, and (as needed) can also reset the configuration of the vpn connection.

New here

Re: Wish: VPN Client

@BeckerIT Care to share that script?

Here to help

Re: Wish: VPN Client

Sure, 

ResetVPNConnection.ps1
Set-VpnConnection -Name "ConnectionName" -ServerAddress WAN Public IP -AuthenticationMethod Pap -DnsSuffix AD domain name -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential $true -TunnelType L2tp

CreateVPNConnection.ps1
Add-VpnConnection -Name "Connection Name" -ServerAddress WANPublicIP -AuthenticationMethod Pap -DnsSuffix ADDSdomainName -EncryptionLevel Optional -Force -L2tpPsk VPNPSK -RememberCredential -TunnelType L2tp -AllUserConnection
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -Type DWord

These scripts will do most of creation, but you'll still have to set certain things (like the user credentials, and such) manually. I've also found the DISABLING IPv6 on the VPN adapter also helps with vpn connectivity. 

Here to help

Re: Wish: VPN Client

@BeckerIT Thanks for sharing!

Getting noticed

Re: Wish: VPN Client

I too would love for AnyConnect to come to MX.

New here

Re: Wish: VPN Client

July 2018 - this continues to be a major issue for some Windows 10 workstations every time there is a failed connect the client changes the connection properties (as noted from PAP to CHAP) and then when you correct that you have to go back and reset the login information.  I too vote for a reliable VPN client for my Meraki MX64's.

 

Scott

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.