The VPN:
The Meraki client VPN uses the L2TP tunneling protocol and can be deployed on PC’s, Mac’s, Android, and iOS devices without additional software as these operating systems natively support L2TP.
The Encryption Method:
Along with the L2TP/IP protocol the Meraki client VPN employs the following encryption and hashing algorithms: 3DES and SHA1 for Phase1, AES128/3DES and SHA1 for Phase 2. Best practice dictated that the shared secret should not contain special characters at the beginning or end.
Enabling Client VPN:
Select Enabled from the Client VPN server pull-down menu on the Security Appliance -> Configure -> Client VPN page. You can then configure the following options:
MacOS Meraki VPN Setup Here are the basic steps: Open System Preferences Network from Mac applications menu. Click the “+” button to create a new service, then select VPN as the interface type, and choose L2TP over IPsec from the pull-down menu. Do you want access to your resources remotely?- Do your employees work outside of the office?- Do you want RDP to servers from anywhere?.
- Client VPN Subnet: The subnet that will be used for Client VPN connections. This should be a private subnet that is not in use anywhere else in your network. The MX will be the default gatway on this subnet and will route traffic to and from this subnet.
- DNS Nameservers: The servers VPN Clients will use to resolve DNS hostnames. You can choose from Google Public DNS, OpenDNS, or specifying custom DNS servers by IP address.
- WINS: If you want your VPN clients to use WINS to resolve NetBIOS names, select Specify WINS Servers from the drop-down and enter the IP addresses of the desired WINS servers.
- Secret: The shared secret that will be used to establish the Client VPN connection.
- Authentication: How VPN Clients will be authenticated.
- Systems Manager Sentry VPN Security: Configuration settings for whether devices enrolled in systems manager should receive a configuration to connect to the Client VPN.
Authentication:
The VPN uses both pre-shared key based authentication and user authentication. To set up the user authentication mechanism, you will need to select your authentication method.
Meraki Cloud Authentication:
Use this option if you do not have an Active Directory or RADIUS server, or if you wish to manager your VPN users via the Meraki cloud. To add or remove users, the User Management section at the bottom of the page. Add a user by selecting “Add new user” and entering the following information:
- Name: Enter the user’s name
- Email: Enter the user’s email address
- Password: Enter a password for the user or select “Generate” to automatically generate a password
- Authorized: Select whether this user is authorized to use the Client VPN
In order to edit an existing user, click on the user under User Management section. To delete a user, click the X next to the user on the right side of the user list. When using Meraki hosted authentication, the user’s email address is the username that is used for authentication.
RADIUS:
Use this option to authenticate users on a RADIUS server. Click Add a RADIUSserver to configure the server(s) to use. You will need to enter the IP address of the RADIUS server, the port to be used for RADIUS communication, and the shared secret for the RADIUS server.
Active Directory:
Use this option if you want to authenticate your users with Active Directory domain credentials. You will need to provide the following information:
- Short Domain: The short name of your Active Directory domain.
- Server IP: The IP address of an Active Directory server on the MX LAN.
- Domain Admin: The domain administrator account the MX should use to query the server.
- Password: Password for the domain administrator account.
Setup Meraki Vpn Client
For example, considering the following scenario: You wish to authenticate users in the domain test.company.com using an Active Directory server with IP 172.16.1.10. Users normally log into the domain using the format ‘test/username’ and you have created a domain administrator account with the username ‘vpnadmin’ and the password ‘vpnpassword’.
- The Short domain would be ‘test’.
- The Server IP would be 172.16.1.10
- The Domain admin would be ‘vpnadmin’
- The Password would be ‘vpnpassword’.
At this time, the MX does not support mapping group policies via Active Directory for users connecting through the Client VPN.
Systems Manager Sentry VPN Security:
When using Meraki cloud authentication, Systems Manager Sentry VPN security can be configured. If your Dashboard organization contains one or more MDM networks. Systems Manager Sentry VPN security allows for your devices enrolled in Systems Manager to receive the configuration to connect to the Client VPN through the Systems Manager profile on the device.
To enable Systems Manager Sentry VPN security, choose Enabled from the Client VPN server pulldown menu on the Security Appliance -> Configure -> Client VPN page. You can configure the following options:
- Install Scope: The install scope allows you to select a set of Systems Manager tags for a particular MDM network. Devices with these tags applied in a Systems Manager network will receive a configuration to connect to this network’s Client VPN server through their Systems Manager profile.
- Send All Traffic: Select whether all client traffic should be sent to the MX.
- Proxy: Whether a proxy should be used for this VPN connection. This can be set to automatic, manual, or disabled.
When using Systems Manager Sentry VPN security, the username and password used to connect to the client VPN are generated by the Meraki cloud. Usernames are generated based on a hash of unique identifier on the device and the username of that device. Passwords are randomly generated.
Was this article helpful?
Related Articles
Recently I received a Cisco Meraki Z3 from my work to be used at home as a teleworker gateway. If you don’t know what a Meraki Z3 it’s a teleworker gateway that provides enterprise-class firewall, VPN gateway and router all in one.
My coworkers that work with Cisco Meraki day in a and day out love this equipment.
In this article, we are going to create a site to site VPN with the Meraki Z3 and Azure VPN gateway.
The following steps are completed in PowerShell and take roughly 45 minutes to complete due to the creation time required for the VPN gateway.
Create Resource Group
Create a new resource group in your Azure subscription.
Create vNet and Subnets
Create a virtual network with two subnets. The first subnet called “default” is where your endpoints in Azure will reside. But you need to create another subnet called “GatewaySubnet”, it must be this name, or else Azure won’t treat it as a subnet gateway.
Create local network gateway (on-premise)
Create the local network gateway which specifies the specifics of your on-premises location. In the case of this example, my lab has three subnets I want to expose. The GatewayIpAddress parameter refers to your public IP address for your on-premises location.
Create Public IP address
Create the public IP address for your VPN gateway to be able to communicate back to your on-premises location.
Create the VPN Gateway Connectivity
Create the VPN gateway connectivity by assigning the subnet and public IP address.
Meraki Vpn Split Tunnel
Create the VPN gateway
We will combine all the previous steps to create a VPN gateway. Building a VPN gateway can take some time to complete, for me, it took on average 30 minutes to complete.
Configure the connection
Create and configure the connection between Azure and your on-site router. I used the cmdlet New-Guid to randomly generate a PassPhrase and output me the results so that I can use it in the next step to configuring pfSense.
Configure site-to-site VPN
- Login to your Meraki dashboard https://dashboard.meraki.com
- Go to Teleworker gateway and select site-to-site VPN
- On the site-to-site VPN page, under type select Hub (Mesh)
- Further down on the page, under VPN settings, select the appropriate local networks that will be available for the VPN connection.
- Continuing on the same page, under Organization-wide settings, Add a peer.
- The non-Meraki VPN peers will appear and add the required information:
- Name: provide name for the connection
- Public IP: public IP of the Azure VPN gateway
- Private subnet: Azure virtual network address space (do not enter individual subnets)
- IPsec policies: click on default and change the preset to Azure
- Preshared secret: enter the preshared key you used to create the Azure VPN gateway.
Verify connectivity
- Go to Teleworker gateway and select VPN status
- Go to Non-Meraki peer, ensure the status color is green.
- If the status is not green, go to the event log to troubleshoot.
Setup Meraki Vpn
I ran into a few issues during the setup and here are some of the errors I did and how I corrected it.
Configure Meraki Vpn Radius
- Azure VPN gateway was set to route-based. I had to delete the VPN gateway and recreate the gateway with the VPN type as Policy-based
- When configuring the site-to-site VPN on the Meraki dashboard, ensure the private subnets equals the address space configuration for your Azure virtual network.