changing unencrypted PAP on the Meraki side so I can use Windows 10 consistently with a VPN ?

JKZfixme
Conversationalist

changing unencrypted PAP on the Meraki side so I can use Windows 10 consistently with a VPN ?

I have had a bunch of small issues with the firewalls in the past, but nothing that is insurmountable with some good old fashion proverbial IT Duct tape. I can even understand the " that's not how we do things, unify and Meraki everything" attitude.

 

Here is where my real issue lies. Every time windows 10 has a major update it decides that unencrypted PAP is horribly insecure ( because it is ) and sets the security for the vpn to MSCHAPv2. Folks can no longer connect to the mothership. I have to remote in and fix. EVERY SINGLE LAPTOP. Every single time. I have called Meraki support like 5 times. They shrugged their shoulders and acted like it was Microsoft's fault for pointing out glaring security flaws. I tried a different approach each time, asking about GPOs, registry keys, third party apps, crying, nothing but shoulder shrugging and blaming Microsoft. How do you guys deal with a modern mobile work force and these Meraki MX's ? 

 

Yes I know that the packet is encrypted.

Windows 10 is still not cool with the janky work around. 

 

I added my personal laptop into the wsus test container to see when it breaks so I can prepare for the mayhem. Then I have to reach out to everyone with a laptop and schedule them leaving it on or dropping it by.

" Hey C level employee, I need to do this again .... "

" I thought we spent licensing money to make your life easier ? This never happened with the Cisco stuff. You haven't needed to touch my laptop for years due to your rad skills. "

" Yeah I know, I made a bad decision "

" When are they going to fix it ? "

" They said to make a wish "

Repeat conversation with every employee with a laptop. Half of they yeah yeah me and don't bother until they need a report at 9PM and harrass me on my cell phone.

 

It has gotten slightly better now that I created a powershell script to remove old vpn and create a new one with PAP so we can still party like its 1999. Still a really bad option as I have to catch the laptop online.

 

 

16 Replies 16
NolanHerring
Kind of a big deal

Yea so this is kind of a crappy position to be in. While I understand why and how Meraki isn't technically responsible for this issue because Microsoft is the one causing it by changing the settings, I do agree that Meraki should at least provide a better solution that the junky built-in VPN option on the various OS types, or better yet just stop using PAP. I mean...when Microsoft is the one ringing the bell that its outdated and not secure, that is saying something. They really need to enable IKEv2 support so people can use AnyConnect client.

 

That being said, off-the-cuff I would say maybe creating a script or batch file that auto-runs at every startup that re-creates the VPN profile each time might be something to look into, instead of you playing whack-a-mole.

 

Some links I found about scripting this:

 

https://www.reddit.com/r/meraki/comments/7d3meo/script_clientvpn_profiles_in_win10/

https://www.reddit.com/r/meraki/comments/6129mj/meraki_vpn_powershell_script/

 

Also I would suggest locking down windows 10 updates as much as you can so that you can minimize the frequency that this might occur.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

Not a great solution, but I would put a copy of the powershell script on each notebook, and then use local group policy (or even Windows Task Scheduler) to run the powershell every time on boot.

 

Then if you have an issue you can use the old chestnut "Have you tried rebooting your computer?".

TMRoberts
Getting noticed

Hey ... yeah we have the same issue (troberts2 in SW btw).

 

When trying to "repair" the script by switching it back from MSCHAP to PAP we get another error saying the "Required" encryption is not supported, even trying to use the -Force command ... WinDOZE flat out doesn't care, but if you are in the GUI side it just works unchecking one and checking the other one.

 

Set-VpnConnection : The current encryption selection requires EAP or MS-CHAPv2 logon security methods. PAP and CHAP
do not support Encryption settings 'Required' or 'Maximum'. : The parameter is incorrect.
At line:1 char:1
+ Set-VpnConnection Blarg -AuthenticationMethod Pap -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo         : InvalidArgument: (AuthenticationMethod:root/Microsoft/...S_VpnConnection) [Set-VpnConnec
  tion], CimException
    + FullyQualifiedErrorId : WIN32 87,Set-VpnConnection

 

This could be easily involved with a 3rd party (Meraki/Cisco) app that Microsoft can't override, but since stuck using the Microsoft built in client and PAYING for Meraki licensing, it's getting disappointing that there is zero information on this issue from Cisco/Meraki other than "oh just click Make a wish". Yes it takes less than 5mins to walk a user through removing and readding the connection, but it's just getting to the point of being highly annoying now that paying customers have to go through this every time and we have to do it for EVERY computer that touches the VPN.



T Roberts
A+, Network+, MCP, Dell and CMNO
TMRoberts
Getting noticed

I had posted about this issue prior and someone else had added this fix recently also it seems as I logged in and got notifications:

 

1. Make a one-line PowerShell script to add the VPN connection

2. Convert the PS script to the exe file and distribute the zipped exe file 

user download the file, unzip and run it then the VPN connection is created

Here is the code (Visual Studio Code is the best IDE for PowerShell)

Add-vpnconnection -Name MyVPN -ServerAddress 1xx.2xx.1xx.1xx -TunnelType l2tp -AuthenticationMethod pap -RememberCredential -l2tpPsk *secret* -Force
 
If you don't add the -Force it will sit at a prompt waiting for you to confirm or not.
 
I noticed that if you use what we were told by Meraki for the setup, using "Require encryption" rather than optional, we get errors but the one above seems to be OK as it sets it to optional.
 
If you need to 'fix' the VPN connection when it breaks by Microsoft, then you run the SET-VPNCONNECTION command with less info just to fix the connection:
 
Set-VpnConnection -Name VPNNAME -ServerAddress 1xx.1xx.1xx.1xx -TunnelType l2tp -Authentication
Method pap -Force
 
Remember to add the -Force or it complains or waits. If this can be done via EXE, then it can be run and done!
 
If you like you can add -SplitTunneling into the above script, and add few routes letting only specific traffic going to the VPN connection, other traffic still goes to the local Internet connection, e.g.:
Add-VpnConnectionRoute -ConnectionName "MyVPN" -DestinationPrefix 128.136.0.0/16
 
How to convert PowerShell script to an exe file? I'm using PS2EXE, it works great


T Roberts
A+, Network+, MCP, Dell and CMNO
Anonymous
Not applicable

I tried with the powershell commend with admin right but still can not connect to the meraki VPN on my windows 10 ent 1607...Works pretty good on my phone and tablet...

 

Any other workarounds?

Nash
Kind of a big deal

Is there a particular reason why you're on 1607? That's a pretty old version of Win10, to the tune of no longer being updated.

 

I'd update your OS, then try PowerShell again. If you need a scripty variant, I've put one together.

Shaunm001
Conversationalist

We're also dealing with the same issue, more so now that we're converting everyone from Windows 7. Good to know I wasn't losing my mind with these machines spontaneously changing their settings on their own, although discouraged to see this post is from 2018 and it's still an ongoing issue. Can someone from Cisco/Meraki weigh in here and let us know if/when a more robust VPN option will be forthcoming? 

TMRoberts
Getting noticed

It's getting even worse. We have machines since updated to Win 10 1909 (or comes preinstalled) that you set up with user/pwd and PAP only. Save the setting, click connect, it fails, you go back and check and Windows has reset it to General Authentication mode and unchecked both PAP and MSChap radio button. It literally undoes what you have set as soon as you click to Connect. Incredibly frustrating at this point. Was bad before but with 1909 it's literally forcing MS settings on you. We NEED a Meraki client that MS can't touch!!!!



T Roberts
A+, Network+, MCP, Dell and CMNO
Nash
Kind of a big deal


@TMRoberts wrote:

It's getting even worse. We have machines since updated to Win 10 1909 (or comes preinstalled) that you set up with user/pwd and PAP only. Save the setting, click connect, it fails, you go back and check and Windows has reset it to General Authentication mode and unchecked both PAP and MSChap radio button. It literally undoes what you have set as soon as you click to Connect. Incredibly frustrating at this point. Was bad before but with 1909 it's literally forcing MS settings on you. We NEED a Meraki client that MS can't touch!!!!


I agree, but in the mean time, there are some kludges.

 

1. Install using a script. I've got examples in my sig.

2. Tell users to NEVER save their credential. Ever. Never. Ever. Ever. It will change the password protocol.

3. Use rasphone to launch the VPN.

4. Remind your users to never save their credential again, just to be sure.

 

To be honest, you should be able to use another client that supports L2TP/IPSEC instead of Win10's baked in. I don't work in an environment that would allow that tho.

Shaunm001
Conversationalist

Yes, we also have issues when saving credentials but I didn't want to clutter up the discussion here. But yes, saving credentials is also key...as in, don't do it. 

 

I hadn't considered using a third-party client to connect to the MX, but I will look into that, thanks for the tip! 

Flashback
Here to help

I've tried a number of scripts including yours Nash. The connection etc. all creates fine and the VPN connects, however even with using the remote gateway (i.e. split tunneling is not turned on) I just cannot hit anything on our internal network.

 

Traffic to external sites works fine, but if I ping anything internal or try RDP for example it just times out.

 

I've checked the settings via the GUI once created and they look exactly the same as if I had of just created the VPN connection in the GUI so not sure where else to look?

 

Disabled Windows Firewall too and still no joy.

TMRoberts
Getting noticed

You have a route back to your VPN side network, correct?

RDP, ping etc will get into the network from VPN network but the return path traffic will fail when there is no route back to the network you are on (VPN or other WAN connected network).



T Roberts
A+, Network+, MCP, Dell and CMNO
Flashback
Here to help

I can't explain how, but for some reason now it is working. Very strange as I tried it on 3 different laptops, each of which had a slightly different configuration. Always seems to happen when you finally decide to reach out for help!

 

The only challenge now is how to deploy it out to all the laptops on the domain. The PS scripts are stored locally on all laptops (pushed out using GPO file copy) and a start-up script configured, however given that needs to run prior to logon it fails. Trying to connect the VPN via the logon screen still doesn't allow it to process any start-up GPOs.

 

If the laptop is in the office that would be fine, but given most users are working remotely now due to COVID-19, I need to find a solution to push out these new VPN profiles.

Tenundra
Conversationalist

Here is my fix after several hours of research and testing and no resolution from Meraki support.

 

Resolution courtesy of Tenundra, Inc. 

 

On the user windows 10 machine open windows explorer and go to:

c:\users\USERID\appdata\Roaming\Microsoft\Network\Connections\Pbk

 

Note to replace UserID in the path with the user you are working with. 

Also note that appdata is a hidden folder so if you don't see it, type it in manually to get beyond the path. 

You can also search from the start button with %APPDATA% and it'll get you into the appdata folder and you can proceed from there

 

Once you are in the PBK folder you'll see an old windows program called RASPHONE

RIght click it and make a shortcut to rasphone on your desktop.

Now open the shortcut and create a new connection with a VPN name you haven't used yet like VPN-Company

Once Created, find that in the list, go to properties and under security enter all the VPN settings you need per the Meraki Instructions that supposed to work (i.e. PAP, require encryption, L2TP and key)

Click OK 

 

Click connect to the VPN you just made via the rasphone window that should still be on your screen

 

Enter your user's Meraki VPN credentials

Click connect

NOTE: Always use this method to connect. If you use the official windows 10 "easy" method it'll break the settings and you'll need to reset them under the security tab again.

 

So now your VPN connection should work. If it doesn't you may need to create the DWORD32 registry key:

AssumeUDPEncapsulationContextOnSendRule with a value of 2 under the registry path

HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent 

If you make or change the registry entry, reboot the PC so it take effect. 

 

Be well.

 

 

Tor_in_Bergen
Here to help

The simple fix is to change the setting in

$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

 

An example;

$rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk"

(Get-Content $rasphone) -replace 'DataEncryption=8', 'DataEncryption=256' | Set-Content $rasphone

 

You need to check, but for now Microsoft sets the value to DataEncryption=8

Check your value by replace line 2 with this one;  Get-Content $rasphone 

 

 

We've combined some of the scripts referenced below, summarized like this, it rolls out an VPN profile to logged-in user

The trix is in short, set Dataencrypion to Optinal and then hack the pbk file

*****

#Cloudflex AS

# VPN with PAP over IPSEC for Meraki VPN

[CmdletBinding()]

param(

[Parameter()][string]$Name='VPN Name',

[Parameter()][string]$ServerAddress='remote.domain.com',

[Parameter()][string]$PSK='The secret',

[Parameter()][string]$DnsSuffix='remote.domain.com'

)

$NeedsReboot = $false

Add-VpnConnection -Name $Name -ServerAddress $ServerAddress -TunnelType "L2tp" -EncryptionLevel "Optional" -AuthenticationMethod PAP -L2tpPsk $PSK -RememberCredential -DnsSuffix $DnsSuffix -PassThru -Force -Confirm:$false


If((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\' -Name 'AssumeUDPEncapsulationContextOnSendRule' -ErrorAction SilentlyContinue) -eq $null) {

New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent\' -Name 'AssumeUDPEncapsulationContextOnSendRule' -Value 2 -PropertyType 'DWord'

Write-Host 'Please reboot before attempting to connect.' -ForegroundColor Yellow

$NeedsReboot = $true

}


$rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk"

(Get-Content $rasphone) -replace 'IpInterfaceMetric=0', 'IpInterfaceMetric=1' | Set-Content $rasphone

 

$rasphone = "$env:USERPROFILE\Appdata\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk"

(Get-Content $rasphone) -replace 'DataEncryption=8', 'DataEncryption=256' | Set-Content $rasphone

 

Tor_in_Bergen
Here to help

The latest system updates from Microsoft have caused some trouble, listed under you will find the needed fixe to install;

 

Windows 11, versjon 21H1 (opprinnelig versjon): KB5010795

Windows Server 2022: KB5010796

Windows 10, versjon 21H2: KB5010793

Windows 10, versjon 21H1: KB5010793

Windows 10, versjon 20H2, Windows Server, versjon 20H2: KB5010793

Windows 10, versjon 20H1, Windows Server, versjon 20H1: KB5010793

Windows 10, versjon 1909, Windows Server, versjon 1909: KB5010792

Windows 10, versjon 1607, Windows Server 2016: KB5010790

Windows 10, versjon 1507: KB5010789

Windows 7 SP1: KB5010798

Windows Server 2008 SP2: KB5010799

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels