Setup Meraki Vpn



This article outlines instructions to configure a client VPN connection on commonly-used operating systems. For more information about client VPN, please refer to our Client VPN Overviewdocumentation.

  1. Configure Meraki Vpn Client
  2. Setup Meraki Vpn Windows 7
  3. Setup Meraki Vpn Windows 10

For troubleshooting, please refer to our Troubleshooting Client VPN documentation.

Android

  1. Meraki MDM also fails to load VPN parameters as it requires a Windows profile (appart from the Meraki Agent). Apparently, you cannot have two MDM profiles on Windows 10. There's also the issue of authentication. Meraki does not support Azure Active Directory.
  2. Meraki VPN Client Setup. This short and sweet script will help with setting up the Windows VPN to use with Cisco Meraki firewall/routers. You can either run it raw or it can be included in your automation to deploy workstations at scale.

The VPN uses both pre-shared key based authentication and user authentication. To set up the user authentication mechanism, you will need to select your authentication method. Meraki Cloud Authentication: Use this option if you do not have an Active Directory or RADIUS server, or if you wish to manager your VPN users via the Meraki cloud. The United States Code is a consolidation and codification by subject matter of the general and permanent laws of the United States. It is prepared by the Office of the Law Revision Counsel of the United States House of Representatives.

To configure an Android device to connect to the Client VPN, follow these steps:

  • Navigate to Settings -> Wireless & Networks -> VPN
  • Click the Plus Icon to add an additional VPN profile
  • Name: This can be anything you want to name this connection, for example, 'Work VPN.'

  • Type: select L2TP/IPSEC PSK

  • Server address: Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.

  • IPSec pre-shared key: Enter the pre-shared key that admin created in Security appliance >Configure > Client VPN settings.

  • Press save

You will be prompted for user credentials when you connect.

Chrome OS

Chrome OS based devices can be configured to connect to the Client VPN feature on MX Security Appliances. This allows remote users to securely connect to the LAN. This article will cover how to configure the VPN connection on a Chrome OS device. For more information on how to setup the Client VPN feature of the MX or how to connect from other operating systems, please visit the MX documentation.

  1. If you haven't already, sign in to your Chromebook.
  2. Click the status area at the bottom of your screen, where your account picture is located.
  3. Select Settings.
  4. In the 'Internet connection' section, click Add connection.
  5. Select Add private network.
  6. In the box that appears, fill in the information below:
    1. Server hostname:Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
    2. Service name: This can be anything you want to name this connection, for example, 'Work VPN.'
    3. Provider type: Select L2TP/IPsec + Pre-shared key.
    4. Pre-shared key: Enter shared secret that admin created in Security appliance >Configure > Client VPN settings.
    5. Username credentials for connecting to VPN. If using Meraki authentication, this will be an e-mail address.
    6. Password credentials for connecting to VPN.
  7. Click Connect.

For more information regarding the configuration of VPN connections in Chrome OS, visit the Google Support page.

To configure an iOS device to connect to the Client VPN, follow these steps:

  1. Navigate to Settings -> General-> VPN -> Add VPN Configuration...
  2. Type: set to L2TP.
  3. Description:This can be anything you want to name this connection, for example, 'Work VPN.'
  4. Server: Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
  5. Account: Enter the username
  6. Password: Enter if desired. If the password is left blank, it will need to be entered each time the device attempts to connect to the Client VPN.
  7. Secret: Enter shared secret that admin created in Security appliance >Configure > Client VPN settings.
  8. Ensure that Send All Traffic is set to On.
  9. Save the configuration.

macOS

Currently only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki hosted authentication.
  • Machine authentication: Preshared keys (a.k.a., shared secret).

When using Meraki hosted authentication, VPN account/user name setting on client devices (e.g., PC or Mac) is the user email address entered in the Dashboard.

The instructions below are tested on Mac OS 10.7.3 (Lion).

Open System Preferences > Network from Mac applications menu. Click the '+' button to create a new service, then select VPN as the interface type, and choose L2TP over IPsec from the pull-down menu.

  • Server Address: Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
  • Account Name: Enter the account name of the user (based on AD, RADIUS or Meraki Cloud authentication).
Click Authentication Settings and provide the following information:
  • User Authentication > Password: User password (based on AD, RADIUS or Meraki Cloud authentication).
  • Machine Authentication > Shared Secret: Enter shared secret that admin created in Security appliance >Configure > Client VPN settings.
Click OK to go back to the main VPN settings page, then click Advanced and enable the Send all traffic over VPN connection option.

The VPN connectivity will not be established if you don't enable the Send all traffic over VPN connection option!

Vpn

Windows 7

Currently only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki hosted authentication.
  • Machine authentication: Preshared keys (a.k.a., shared secret).

When using Meraki hosted authentication, VPN account/user name setting on client devices (e.g., PC or Mac) is the user email address entered in the Dashboard.

Open Start Menu > Control Panel, click on Network and Internet, click on View network status and tasks.

In the Set up a connection or network pop-up window, choose Connect to a workplace (Set up a dial-up or VPN connection to your workplace).

Choose Use my Internet connection (VPN), in the Connect to a workspace dialog window.

In the Connect to a Workplace dialog box, enter:

  • Internet address: Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
  • Destination name:This can be anything you want to name this connection, for example, 'Work VPN.'

Choose 'Don't connect now; just set it up so that I can connect later' option.

Click Next. In the next dialog window, enter the user credentials, and click Create.

Close the VPN connection wizard.
Go to Networking and Sharing Center and click Change Adapter Settings
In Network Connections window, right-click on the new VPN connection settings and choose Properties
In the General tab, verify the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
In the Options tab, uncheck 'Include Windows logon domain'
In the 'Security' tab, choose 'Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)'.
Then, check 'Unencrypted password (PAP)', and uncheck all other options.
Click on 'Advanced settings'.

Despite the name 'Unencrypted PAP', the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN.

In Advanced Properties dialog box, choose 'Use preshared key for authentication' and enter the pre-shared key that admin created in Security appliance >Configure > Client VPN settings.
Back at the Network Connections window, right-click on the VPN connection and click Connect
Verify your user name and click Connect.

Windows 8

Currently only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki hosted authentication.
  • Machine authentication: Preshared keys (a.k.a., shared secret).

When using Meraki hosted authentication, VPN account/user name setting on client devices (e.g., PC or Mac) is the user email address entered in the Dashboard.

Open Start Menu > Network and Sharing Center and click Settings.

In the Network and Sharing Center, click Set up a new connection or network.

In the Set Up a Connection or Network pop-up window, choose Connect to a workplace.
(Set up a dial-up or VPN connection to your workplace).

Choose Use my Internet connection (VPN), in the Connect to a Workspace dialog window.

In the Connect to a Workplace dialog box, enter:

  • Internet address: Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
  • Destination name:This can be anything you want to name this connection, for example, 'Work VPN.'
Click Create.

Go back to Network and Sharing Center and click Change Adapter Settings.

In the Networks Connections window, right click on the VPN connection icon and choose Properties.
In the General tab, verify the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
In the 'Security' tab, choose 'Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)'.
Then, check 'Unencrypted password (PAP)', and uncheck all other options.

Despite the name 'Unencrypted PAP', the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN.

In Advanced Properties dialog box, choose 'Use preshared key for authentication' and enter the pre-shared key that admin created in Security appliance >Configure > Client VPN settings.
Back at the Network Connections window, right-click on the VPN connection and click Connect / Disconnect.
Find your VPN profile and click Connect.
Enter your user name and password.

Windows 10

Currently only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki hosted authentication.
  • Machine authentication: Preshared keys (a.k.a., shared secret).

When using Meraki hosted authentication, VPN account/user name setting on client devices (e.g., PC or Mac) is the user email address entered in the Dashboard.

Open Start Menu > Search 'VPN' > Click Change virtual private networks (VPN)

From the VPN settings page, click Add a VPN connection.

In the Add a VPN connection dialog:

  • VPN provider: Set to Windows (built-in)
  • Connection name: This can be anything you want to name this connection, for example, 'Work VPN.'
  • Server name or address: Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.
  • VPN type: Select L2TP/IPsec with pre-shared key
  • User name and Password: optional

Press Save.

After the VPN connection has been created, click Change adapter options under Related settings.

Right-click on the VPN Connection from the list of adapters and click Properties.

In the Security tab, select 'Require encryption (disconnect if sever declines)' under Data encryption.
Then, select 'Allow these protocols' under Authentication. From the list of protocols, check 'Unencrypted password (PAP)', and uncheck all other options.

Despite the name 'Unencrypted PAP', the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN.

In Advanced Properties dialog box, choose 'Use preshared key for authentication' and enter the pre-shared key that admin created in Security appliance >Configure > Client VPN settings.

Back at the Network Connections window, right-click on the VPN connection and click Connect / Disconnect.

Find your VPN profile and click Connect.

Click OK.

Windows XP

Currently only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki hosted authentication.
  • Machine authentication: Preshared keys (a.k.a., shared secret).

When using Meraki hosted authentication, use the email address for VPN account / user name.

Open Start Menu > Control Panel, click on Network Connections.

In the Network Tasks section, click on Create a new connection.

Choose Connect to the network at my workplace, in the New Connection Wizard window.

Choose Virtual Private Network connection in the next section.

Then, give a name for this connection. This can be anything you want to name this connection, for example, 'Work VPN.'

Enter the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.

In the Connect <Connection Name> box, click on Properties

In the General tab, verify the hostname (e.g. .com)orthe active WAN IP (e.g. XXX.XXX.XXX). Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in Dashboard, under Security appliance > Monitor > Appliance status.

In the Options tab, uncheck 'Include Windows logon domain'
In the Security tab, choose Advanced (custom settings).
In Advanced Security Settings page, select Optional encryptionfrom the Data encryption pull-down menu.
Choose Unencrypted password (PAP) from the Allow these protocols options and uncheck everything else.

Despite the name 'Unencrypted PAP', the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN.

Back on the Security tab, click IPSec Settings...
Check 'Use pre-shared key for authentication' and enter the pre-shared key that admin created in Security appliance >Configure > Client VPN settings.
In Networking tab, choose L2TP IPSec VPN from the Type of VPN options.
Back at the Network Connections window, right-click on the VPN connection and click Connect
Verify your user name and click Connect

Since Client VPN uses the L2TP over IPsec standard, any Linux client that properly supports this standard should suffice. Please note that newer versions of Ubuntu do not ship with a VPN client that supports L2TP/IP, and will therefore require a 3rd party VPN client that supports the protocol.

Note: The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication.

Configuring Ubuntu 20.04

Ubuntu does not support L2TP VPN by default. You will need to install a couple of software packages to enable this functionality. The instructions below were written for Ubuntu 20.04 LTS with the Gnome desktop environment. Ubuntu versions 16.04 and 18.04 can be configured in a similar manner. However, due to the large number of Linux versions available, it is not feasible to document every supported Ubuntu version.

In order to begin the VPN setup, open up a terminal window. Do this by searching for Terminal in your application list. Click on the Terminal icon to open a new terminal session.

Once the terminal window appears, you will need to enter a few commands.

Note: You will need to be a part of the “sudoers” group to install these packages. If you receive an error message like “<username> is not in the sudoers file.” you will need to either adjust your permissions, contact your administrator to add your account as an administrator or have them install the software for you.

Once the packages have been installed, you may open up the Network Settings by searching for Settings in the application list, or by clicking on the Network icon at the top right of the screen and selecting Wired (or Wireless) Settings.

Once the Network Settings window pops up, you will see there is a VPN section listed. Click on the + icon to set up a new VPN connection.

Select the Layer 2 Tunneling Protocol (L2TP) VPN type on the modal pop up window. If L2TP is not listed as an option, please see the first step about installing the required packages.

After selecting the L2TP option, a new modal will pop up titled Add VPN. Fill out your VPN Name, Gateway, User name, and Password information here.

Note: To save your password on this screen, you must select the appropriate option from the question mark on the password field.

Next, click on the IPsec Settings button to open the L2TP IPsec Options modal.

Once the modal pops up, expand the Advanced options, and enter the following:

Select OK to continue. You will be returned back to the Add VPN modal. Select the PPP Settings button.

On the L2TP PPP Options modal, select only the PAP authentication method. Be sure the other authentication methods are de-selected. All other options can remain as the default. Select OK to continue.

Select Add at the top right corner of the Add VPN modal to complete the VPN setup.

Now you may connect your VPN by toggling the button on the Network Settings page:

Or by selecting the Connect option from the top right corner menu.

Upon successful connection, a VPN icon will appear next to the network icon in the status bar.

Note: The version of network-manager-l2tp that is installed along with xl2tpd is known to cause issues when connecting to Meraki Appliances. To alleviate this, you must disable the xl2tpd service when using the network-manager GUI to connect to a Meraki VPN.

To stop the xl2tpd service once use this Terminal command:

sudo service xl2tpd stop

To stop the xl2tpd service for all subsequent reboots use this Terminal command:

Connection

sudo update-rc.d xl2tpd disable

Site-to-site VPN connections between MX Security Appliances and/or Z-series Teleworker Gateways will automatically form a mesh topology between all VPN-enabled peers in the same Dashboard organization by default. This is often undesirable because such connections establish unnecessary IPSec tunnels between remote sites and create performance-degrading networking overhead.

In these cases it is best to configure Site-to-site VPN topology for Hub and spoke, which designates the datacenter MX as the 'hub' and all remote sites as the 'spoke'. This model can be useful in organizations where several auxiliary sites require a connection to the HQ or datacenter-located concentrator, pictured below.

Figure 1. Split tunnel w/ Hub-and-Spoke (connect directly to one peer). VPN connections (blue) are established to only one peer (top). Traffic to the internet (black) goes out locally from each site.

Figure 2. Full tunnel w/ Hub-and-Spoke (connect directly to one peer). VPN connections (blue) are established to only one peer (top). Traffic to the internet (black) goes out from a central concentrator/hub (top).

Although each remote location is not connected directly in this method, remote sites can still connect with each other via the hub by default. This article covers:

Configure Meraki Vpn Client

  • Hub and spoke VPN setup and configuration
  • Limiting connections between Spokes

Hub and Spoke VPN Setup and Configuration

Note: Hub and spoke topologies are currently only supported between Meraki MXes, non-Meraki VPN peers cannot be configured as spokes.

The MX features a hub-and-spoke option for its MX to MX VPN. To implement Hub-and-spoke the network administrator needs to follow these steps:

  1. Set up the hub MX Device
    1. Navigate to the Dashboard Network of the MX that will act as the hub.
    2. Navigate to Security & SD-WAN > Configure > Site-to-Site VPN.
    3. Set the Type to Hub (Mesh):
    4. (Optional) If another MX in the organization is also configured as a hub, it can be added as an Exit hub. If configured, all VPN client traffic to this MX will be tunneled to the specified exit hub.
    5. Configure any other VPN settings desired (local networks, NAT traversal, etc)
    6. Save.
  2. Set up the spoke MX Device
    1. Navigate to the Dashboard Network of the MX that will act as the spoke.
    2. Navigate to Security & SD-WAN > Configure > Site-to-site VPN.
    3. Set the Type to Spoke:
    4. Select the hub MX under the Name drop-down. Multiple hubs can be added and prioritized in descending order.
    5. Select at least one hub for a Default route:
      • If a hub is not configured as a default route, the spoke will only send traffic to this hub when the destination subnet is advertised by the hub.
      • If a hub is configured as a default route, any traffic that is not destined for a higher-priority hub will be sent by default to this hub.
    6. Configure any other VPN settings desired (local networks, NAT traversal, etc)
    7. Save.

Setup Meraki Vpn Windows 7

Once Saved, the MX set as 'Spoke' will form a VPN tunnel with the specified hub(s).

Limiting Connections Between Spokes

In the event you need to limit branch office communication, configure Site-to-site firewall rules. You can edit the Site-to-site firewall from any MX network. This can be done at Security & SD-WAN > Configure > Site-to-site VPN > Organization Wide Settings > Site-to-site outbound firewall.

Setup Meraki Vpn Windows 10

This will allow you to limit the communication between spokes in the way you desire. In this particular example we have prevented the New York site from communicating with the Chicago site and vice versa, while allowing both sites to communicate with the hub via the inherent allow any rule at the bottom. Rules are processed in a top-down fashion. If you want to deny the traffic from each spoke, you must set up a rule both ways.