Cisco Meraki Vpn Client Software

Learning has never been so easy!

Network Access Manager - It is a client software that provides a secure Layer 2 network. VPN Posture (Hostscan) - Provides the client the ability to identify the operating system, anti-virus, anti-spyware, and firewall software installed on the host. AMP Enabler - It is used as a medium for deploying Advanced Malware Protection (AMP) for endpoints. Talk of Meraki getting to use AnyConnect Client from Cisco (probably licensed software purchase) has been a rumor for a while. It doesn't seem like it's actually coming at this point in time, but I just support the stuff and don't hound Meraki much abut it. The VPN:The Meraki client VPN uses the L2TP tunneling protocol and can be deployed on PC’s, Mac’s, Android, and iOS devices without additional software as these operating systems natively support L2TP. The Encryption Method:Along with the L2TP/IP protocol the Meraki client VPN employs the following encryption and hashing algorithms: 3DES. Cisco Meraki is the leader in cloud controlled WiFi, routing, and security. Secure and scalable, learn how Cisco Meraki enterprise networks simply work. An AnyConnect profile is a crucial piece for ensuring easy configuration of the AnyConnect client software, once installed. The MX does not support the use of custom hostnames for certificates (e.g. The MX only supports use of the Meraki DDNS hostname for auto-enrollment and use on the MX.

Cisco Meraki uses the integrated Windows client for VPN connection (no Cisco client at this time).

To be able to connect with simple AD user account credentials, along with a simple pre-shared key, the steps are very simple.

9 Steps total

Step 1: Get started

Click on Start and type in VPN, click on Change Virtual Private Networks (VPN)

Step 2: Add connection

Click on Add a VPN connection

Step 3: Configure Windows connection

Pick VPN provider as Windows
Name the connection
Put in server name or IP
Switch VPN type to L2TP/IPsec with pre-shared key
Switch Type of sign in to User name and password
Enter the username and password if you want to save it, or leave blank and user will have to enter it on connection
Hit Save

Step 4: Edit settings

Once you hit Save, it will bring you back to the connection page
Click on Change Adapter Options

Step 5: Configure adapter

In the adapter window, click on the adapter with the name you created in the VPN window
Click on Change settings of this connection

Step 6: Step 6

Click on Security tab
Make sure Type of VPN is still Layer 2 Tunneling Protocol with IPsec
Set Data encryption to Require encryption (disconnect if server declines)
Set Allow these protocols
Check Unencrypted password (PAP) - will still be, so don't worry
Click Advanced settings

Step 7: Add key

In the Advanced settings, click on Use preshared key
Type in the key you want to use
Hit OK to go back to the adapter settings
Click OK to close the adapter settings and save.
Close all other windows at this point.

Step 8: Connect

Connect ...
Click on the network icon in the system tray
Click on the VPN network connection name
Click on Connect

Step 9: Verify and disconnect

Verify you are connected
Click on the network system tray icon again if the window closed or minimized
You should now see the VPN network name listed and Connected underneath it
(If you are done with your connection, click on it and click Disconnect)

Now and then Windows Updates breaks the encryption settings by changing from PAP to MS-CHAP. If users could connect before, but suddenly can't while others can, revisit Step# 6 and verify PAP is turned on, not MS-CHAP. Save and all set!

8 Comments

Chipotle
BMG_Zone Jun 20, 2018 at 12:42pm
I have a customer who is stating:
We've run into a weird problem where the built in Windows 10 vpn gets its settings changed whenever the wifi network changes. We have consultants who travel to various client sites and every time they try to connect to our vpn server they have to fix their vpn settings. The company we had hired to set up our vpn server said they can't help us with this, probably because it's a Windows issue
Any Ideas?
Habanero
KrasimirPetrov_ Oct 31, 2018 at 02:46am
Good read. Thank you very much for sharing.
Excellent tutorial
Sonora
LRSpartan Jan 8, 2019 at 04:49pm
We have been trying to overcome the same problems with MX64 and making an outbound rule entry in Windows Defender Firewall is what helped us. We had performed all the other instructions Meraki and MSFT had provided including the regedit (asumeUDPEncap...).
We created a UDP port rule for 500, 4500 and scoped it to our vpn IP address. Finally works.
I hope this helps.
Pimiento
ericguth2 Jan 28, 2020 at 09:00am
LRSpartan - are you saying that you port forward UDP 500 and 4500 to your VPN range 192.168.XXX.00/24?
Poblano
AaronTheYoung Feb 3, 2020 at 08:15pm
We are constantly plagued by our VPN connection losing its settings as well. I'm not sure if this it relates to change in WiFi, but the people that it occurs with do seem to be people that change WiFi often. Others who are using it from one network at home seem to not have the issue.
In any case, I am constantly connecting to users who are remote and fixing their settings. Either resetting their Username and Password settings or fixing the PAP/CHAP protocol settings.
Is there a way to use the Powershell command ADDVPNConnection to create a script that would re-create the settings in one fell swoop?
Any help would be appreciated.
Datil
troberts2 Mar 4, 2020 at 08:22pm
We have seen those same settings and we hear there may be a Meraki VPN Client or Cisco AnyConnect Client that is Meraki compatible in the near future, but that has also been ongoing for like 3 to 4yrs now. Once it comes out, should be a moot point on Microsponge changing your settings. I have seen the same issue though, seems to be mostly tied to Microsoft and the firewall flipping the network to public and effectively blocks like everything so you can't connect. Only way we have gotten it to work is when on that network, switch it from Public to Private, reboot the machine and possibly also the network router you are using and then it works, and yes you are sharing when connected initially to that network, but once on the VPN, tunneled into your network and secure again. Fingers X'd on the client coming out vs WinDoze client.
Pimiento
spicehead-hu3x0 Apr 14, 2020 at 06:09pm
The Dreytek VPN client works for the meraki, I hope Cisco comes out with their own soon.
Jalapeno
branchms Jan 21, 2021 at 10:04pm
I'm having nothing but trouble getting this to connect.
Using windows 10 and Meraki MX64.
Can you suggest a resolution?

The VPN:
The Meraki client VPN uses the L2TP tunneling protocol and can be deployed on PC’s, Mac’s, Android, and iOS devices without additional software as these operating systems natively support L2TP.

The Encryption Method:
Along with the L2TP/IP protocol the Meraki client VPN employs the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase 2. Best practice dictated that the shared secret should not contain special characters at the beginning or end.

Enabling Client VPN:
Select Enabled from the Client VPN server pull-down menu on the Security Appliance -> Configure -> Client VPN page. You can then configure the following options:

Cisco Meraki Vpn Settings

Client VPN Subnet: The subnet that will be used for Client VPN connections. This should be a private subnet that is not in use anywhere else in your network. The MX will be the default gatway on this subnet and will route traffic to and from this subnet.
DNS Nameservers: The servers VPN Clients will use to resolve DNS hostnames. You can choose from Google Public DNS, OpenDNS, or specifying custom DNS servers by IP address.
WINS: If you want your VPN clients to use WINS to resolve NetBIOS names, select Specify WINS Servers from the drop-down and enter the IP addresses of the desired WINS servers.
Secret: The shared secret that will be used to establish the Client VPN connection.
Authentication: How VPN Clients will be authenticated.
Systems Manager Sentry VPN Security: Configuration settings for whether devices enrolled in systems manager should receive a configuration to connect to the Client VPN.

Authentication:
The VPN uses both pre-shared key based authentication and user authentication. To set up the user authentication mechanism, you will need to select your authentication method.

Meraki Cloud Authentication:
Use this option if you do not have an Active Directory or RADIUS server, or if you wish to manager your VPN users via the Meraki cloud. To add or remove users, the User Management section at the bottom of the page. Add a user by selecting “Add new user” and entering the following information:

Name: Enter the user’s name
Email: Enter the user’s email address
Password: Enter a password for the user or select “Generate” to automatically generate a password
Authorized: Select whether this user is authorized to use the Client VPN

In order to edit an existing user, click on the user under User Management section. To delete a user, click the X next to the user on the right side of the user list. When using Meraki hosted authentication, the user’s email address is the username that is used for authentication.

RADIUS:
Use this option to authenticate users on a RADIUS server. Click Add a RADIUSserver to configure the server(s) to use. You will need to enter the IP address of the RADIUS server, the port to be used for RADIUS communication, and the shared secret for the RADIUS server.

Active Directory:
Use this option if you want to authenticate your users with Active Directory domain credentials. You will need to provide the following information:

Short Domain: The short name of your Active Directory domain.
Server IP: The IP address of an Active Directory server on the MX LAN.
Domain Admin: The domain administrator account the MX should use to query the server.
Password: Password for the domain administrator account.

For example, considering the following scenario: You wish to authenticate users in the domain test.company.com using an Active Directory server with IP 172.16.1.10. Users normally log into the domain using the format ‘test/username’ and you have created a domain administrator account with the username ‘vpnadmin’ and the password ‘vpnpassword’.

The Short domain would be ‘test’.
The Server IP would be 172.16.1.10
The Domain admin would be ‘vpnadmin’
The Password would be ‘vpnpassword’.

Note:

At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.

Systems Manager Sentry VPN Security:
When using Meraki cloud authentication, Systems Manager Sentry VPN security can be configured. If your Dashboard organization contains one or more MDM networks. Systems Manager Sentry VPN security allows for your devices enrolled in Systems Manager to receive the configuration to connect to the Client VPN through the Systems Manager profile on the device.

To enable Systems Manager Sentry VPN security, choose Enabled from the Client VPN server pulldown menu on the Security Appliance -> Configure -> Client VPN page. You can configure the following options:

Install Scope: The install scope allows you to select a set of Systems Manager tags for a particular MDM network. Devices with these tags applied in a Systems Manager network will receive a configuration to connect to this network’s Client VPN server through their Systems Manager profile.
Send All Traffic: Select whether all client traffic should be sent to the MX.
Proxy: Whether a proxy should be used for this VPN connection. This can be set to automatic, manual, or disabled.