Skip to main content

 

Cisco Meraki Documentation

Meraki Go - Client VPN Setup

Client VPN allows users to remotely access their GX50 hardware and the devices connected to them from anywhere in the world. This article outlines how to enable client VPN on the GX50 as well as how to configure several popular client devices such as mobile phones or laptops.

Note: The article Troubleshooting Client VPN covers advanced troubleshooting topics that apply to the GX50 if issues should arise.

Configuring VPN is a two step process:

  1. Enable and configure Client VPN on the GX50.
  2. Set up the end user device to connect to the GX50 via VPN.

Any client that supports L2TP/IPSec VPN can setup a VPN connection to the GX50.

GX50 Setup

Follow these step-by-step instructions to enable client VPN on the GX50.
 

  1. Open the Meraki Go app and navigate to Settings -> Advanced Settings -> Client VPN
    Login
    1_login.png
    Go to Settings
    2_settings.png

    Find Advanced Settings
    3_adv_settings.png
    Select Client VPN
    4_client_vpn_screen.png
  2. Tap Client VPN Settings
  3. Tap Toggle client VPN to turn the feature on.
  4. Tap Administrators to choose which users have access to Client VPN.
    6_admins.png
  5. Enter the shared secret which functions similarly to a password.
  6. Tap Save.

The GX50 is now configured to accept client VPN connections. Next, end users will have to setup their devices to connect to the GX50.

 

Laptop and Mobile Configuration

This section is broken down by device type and how to configure each operating system.

Android

To configure an Android device to connect to the client VPN, follow these steps:

  • Navigate to Settings > Wireless & Networks > VPN
  • Click the plus icon to add an additional VPN profile

Screenshot_2015-08-15-10-47-59-2.png

  • Name: This can be anything you want to name the connection, for example, "Work VPN"

  • Type: select L2TP/IPSEC PSK

  • Server address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page. 

  • IPSec preshared key: Enter the preshared key that admin created in Security & SD-WAN > Configure > Client VPN settings.

  • Click save

Screenshot_2015-08-15-10-49-38.png

 

 

You will be prompted for user credentials when you connect.

Screenshot_2015-08-15-10-50-34.png

 

 

Chrome OS

Chrome OS-based devices can be configured to connect to the client VPN feature on MX security appliances. This allows remote users to securely connect to the LAN. This article will cover how to configure the VPN connection on a Chrome OS device. For more information on how to set up the client VPN feature of the MX, or how to connect from other operating systems, please visit the Client VPN Overview documentation.
 

  1. If you haven't already, sign in to your Chromebook.
  2. Click the status area at the bottom of your screen where your account picture is located.
  3. Select Settings.
  4. In the Internet connection section, click Add connection.
  5. Select Add private network.
  6. In the box that appears, fill in the information below:
    1. Server hostname: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page.
    2. Service name: This can be anything you want to name this connection, for example, "Work VPN"
    3. Provider type: Select L2TP/IPsec + Preshared key.
    4. Pre-shared key: Enter the shared secret that admin created in Security & SD-WAN> Configure > Client VPN settings.
    5. Username: Credentials for connecting to VPN. If using Meraki authentication, this will be an e-mail address.
    6. Password: Credentials for connecting to VPN.
  7. Click Connect.

For more information regarding the configuration of VPN connections in Chrome OS, visit the Google Support page.

iOS

To configure an iOS device to connect to the client VPN, follow these steps:

  1. Navigate to Settings > General > VPN > Add VPN Configuration.
  2. Type: Set to L2TP.
  3. Description: This can be anything you want to name this connection, for example, "Work VPN".
  4. Server: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page.
  5. Account: Enter the username.
  6. Password: Enter if desired. If the password is left blank, it will need to be entered each time the device attempts to connect to the client VPN.
  7. Secret: Enter the shared secret that admin created in Security & SD-WAN > Configure > Client VPN settings.
  8. Ensure that Send All Traffic is set to on.
  9. Save the configuration.

unnamed.png

 

macOS

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (e.g. shared secret)

When using Meraki-hosted authentication, the VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard.

The instructions below are tested on Mac OS 10.7.3 (Lion).

Open System Preferences > Network from the Mac applications menu. Click the "+" button to create a new service, select VPN as the interface type, and choose L2TP over IPsec from the pull-down menu.

  • Server Address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page.
  • Account Name: Enter the account name of the user (based on AD, RADIUS, or Meraki cloud authentication).
image2012-3-9 8-19-16.png
 
 
Click Authentication Settings and provide the following information:
  • User Authentication > Password: User password (based on AD, RADIUS or Meraki cloud authentication).
  • Machine Authentication > Shared Secret: Enter the shared secret that admin created in Security & SD-WAN > Configure > Client VPN settings.
image2012-3-2 9-28-16.png
 
 
Click OK to go back to the main VPN settings page, then click Advanced and enable the Send all traffic over VPN connection option.

image2012-3-1 15-21-49.png

The VPN connectivity will not be established if you don't enable the Send all traffic over VPN connection option.

 

 

 

 

Windows 7

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (e.g. shared secret)

When using Meraki-hosted authentication, the VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard.

 

Open Start Menu > Control Panel, click on Network and Internet, click on View network status and tasks.

image2012-3-1 15-33-9.png

 

 

In the Set up a connection or network pop-up window, choose Connect to a workplace (set up a dial-up or VPN connection to your workplace).

image2012-3-1 15-33-43.png

 

 

Choose Use my Internet connection (VPN) in the Connect to a workspace dialog window.

image2012-3-1 15-34-39.png

 

 

In the Connect to a Workplace dialog box, enter:

  • Internet address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP  because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page. 
  • Destination name: This can be anything you want to name this connection, for example, "Work VPN".

image2012-3-1 15-37-51.png

 

Choose Don't connect now; just set it up so that I can connect later.

 

 

Click Next. In the next dialog window, enter the user credentials, and click Create.

image2012-3-1 15-39-25.png
 
 
Close the VPN connection wizard.
image2012-3-8 11-31-2.png
 
 
Go to Networking and Sharing Center and click Change Adapter Settings
image2012-3-8 11-33-20.png
 
 
In the Network Connections window, right-click on the new VPN connection settings and choose Properties.
vpn properties.png
 
 
In the General tab, verify the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security & SD-WAN > Monitor > Appliance status.
image2012-3-8 11-37-28.png
 
 
In the Options tab, uncheck Include Windows logon domain.
image2012-3-8 11-37-49.png
 
 
In the Security tab, choose Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
Check Unencrypted password (PAP), and uncheck all other options.
image2012-3-8 11-40-48.png
Click on Advanced settings.
 

Despite the name "Unencrypted PAP," the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over the WAN or the LAN.

 

In the Advanced Properties dialog box, choose Use preshared key for authentication and enter the preshared key that admin created in
Security & SD-WAN > Configure > Client VPN settings.
Click OK.
image2012-3-8 11-40-26.png
 
 
At the Network Connections window, right-click on the VPN connection and click Connect.
connect.png

 
Verify your username and click Connect.
image2012-3-9 11-41-20.png
 
 
 

Windows 8

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (a.k.a. shared secret)

When using Meraki-hosted authentication, the VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard.

 

Open Start Menu > Network and Sharing Center and click Settings.

network_sharing_center.png

 
 
In the Network and Sharing Center, click Set up a new connection or network.
setup_network_connection.png

 

 

In the Set Up a Connection or Network pop-up window, choose Connect to a workplace.
(Set up a dial-up or VPN connection to your workplace)

connect_to_a_workplace.png

 

 

Choose Use my Internet connection (VPN), in the Connect to a Workspace dialog window.

vpn_connection.png

 

 

In the Connect to a Workplace dialog box, enter:

  • Internet address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page. 
  • Destination name: This can be anything you want to name this connection, for example, "Work VPN".
Click Create.
enter_IP.png

 

 

Go back to Network and Sharing Center and click Change Adapter Settings.

change_adapter_settings.png
 
 
In the Network Connections window, right-click on the VPN connection icon and choose Properties.
properties.png
 
 
In the General tab, verify the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security & SD-WAN > Monitor > Appliance status.
general_tab.png
 
 
In the Security tab, choose Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
Check Unencrypted password (PAP) and uncheck all other options.
l2tp_ipsec_vpn.png
 
Click on Advanced settings.

Despite the name "Unencrypted PAP," the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over the WAN or the LAN.

 

 

In the Advanced Properties dialog box, choose Use preshared key for authentication and enter the preshared key that admin created in
Security & SD-WAN Configure > Client VPN settings.
Click OK.
 
advanced_settings.png
 
 
Back at the Network Connections window, right-click on the VPN connection and click Connect / Disconnect.
connect-1.png
 
 
Find your VPN profile and click Connect.
connect_to_vpn.png
 
 
Enter your username and password.
Click OK.
enter_credentials.png
 
 
 

Windows 10

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (e.g. shared secret)

When using Meraki-hosted authentication, VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard.

 

Open Start Menu > Search "VPN" > Click Change virtual private networks (VPN)

W10-CVPN-1.png

 

From the VPN settings page, click Add a VPN connection.

W10-CVPN-2.jpg

 

In the Add a VPN connection dialog:

  • VPN provider: Set to Windows (built-in)
  • Connection name: This can be anything you want to name this connection, for example, "Work VPN"
  • Server name or address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page. 
  • VPN type: Select L2TP/IPsec with preshared key
  • User name and Password: optional

Press Save.

win10vpn.png

 

 

After the VPN connection has been created, click Change adapter options under Related settings.

W10-CVPN-4.png

 

 

Right-click on VPN Connection from the list of adapters and click Properties.

W10-CVPN-5.png

 

 

In the Security tab, select Require encryption (disconnect if sever declines) under Data encryption.
Then, select Allow these protocols under Authentication. From the list of protocols, check Unencrypted password (PAP), and uncheck all other options.
W10-CVPN-6.png
 
Click on Advanced settings.
 

Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over the WAN or the LAN.

 

 

In the Advanced Properties dialog box, choose "Use preshared key for authentication" and enter the preshared key that admin created in 
Security & SD-WAN > Configure > Client VPN settings.

W10-CVPN-7.png

 

 

Back at the Network Connections window, right-click on the VPN connection and click Connect / Disconnect.

W10-CVPN-8.png

 

 

Find your VPN profile and click Connect.

W10-CVPN-9.png

 

 

Enter your username and password.
Click OK.

W10-CVPN-10.png

 

 

 

Windows XP

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (e.g. shared secret)

When using Meraki-hosted authentication, use the email address for VPN account / user name.

 

Open Start Menu > Control Panel, click on Network Connections.

image2012-4-12 12-39-31.png

 

 

In the Network Tasks section, click on Create a new connection.

image2012-4-12 12-41-32.png

 

 

Choose Connect to the network at my workplace, in the New Connection Wizard window.

image2012-4-12 12-43-16.png

 

 

Choose the Virtual Private Network connection in the next section.

image2012-4-12 12-45-14.png

 

 

Then, give a name for this connection. This can be anything you want, for example, "Work VPN".

image2012-4-12 12-46-8.png

 

 

Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Your hostname can be found by selecting the GX50 from the Hardware tab in the app and scrolling to the bottom of the page. 

  • image2012-4-12 12-49-35.png

     

     

    In the Connect <Connection Name> box, click on Properties:

    image2012-4-12 17-59-36.png

     

     

    In the General tab, verify the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security & SD-WAN > Monitor > Appliance status.

    image2012-4-12 18-1-50.png
     
     
    In the Options tab, uncheck Include Windows logon domain
    image2012-4-12 18-2-59.png
     
     
    In the Security tab, choose Advanced (custom settings).
    Click Settings.
    image2012-4-12 18-15-14.png
     
     
    On the Advanced Security Settings page, select Optional encryption from the Data encryption pull-down menu.
    Choose Unencrypted password (PAP) from the Allow these protocols options and uncheck everything else.
    image2012-4-12 18-20-32.png

    Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over the WAN or the LAN.

     

     
    Back on the Security tab, click IPSec Settings.
    image2012-4-12 18-15-14-1.png
     
     
    Check Use pre-shared key for authentication and enter the preshared key that admin created in Security & SD-WANConfigure > Client VPN settings.
    Click OK.
    image2012-4-12 18-8-38.png
     
     
    In the Networking tab, choose L2TP IPSec VPN from the Type of VPN options.
    image2012-4-30 19-36-41.png
     
     
    Back at the Network Connections window, right-click on the VPN connection and click Connect.
    image2012-4-12 18-46-45.png
     
     
    Verify your username and click Connect.
    image2012-4-12 18-47-42.png
     

    Linux

Since client VPN uses the L2TP over IPsec standard, any Linux client that properly supports this standard should suffice. Please note that newer versions of Ubuntu do not ship with a VPN client that supports L2TP/IP, and will therefore require a third-party VPN client that supports the protocol.

Note: The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication.

Configuring Ubuntu 20.04

Ubuntu does not support L2TP VPN by default. You will need to install a couple of software packages to enable this functionality. The instructions below were written for Ubuntu 20.04 LTS with the Gnome desktop environment. Ubuntu versions 16.04 and 18.04 can be configured in a similar manner. However, due to the large number of Linux versions available, it is not feasible to document every supported Ubuntu version.

In order to begin the VPN setup, open a terminal window. Do this by searching for Terminal in your application list. Click on the Terminal icon to open a new session.

Terminal.png

 

Once the terminal window appears, you will need to enter a few commands:

sudo apt-get update
sudo apt-get install network-manager-l2tp
sudo apt-get install network-manager-l2tp-gnome

 

TerminalGIF.gif

 

Note: You will need to be part of the “sudoers” group to install these packages. If you receive an error message like “<username> is not in the sudoers file” you will need to either adjust your permissions, contact your administrator to add your account as an administrator, or have them install the software for you.

 

Once the packages have been installed, you may open up the Network Settings by searching for Settings in the application list, or by clicking on the Network icon at the top right of the screen and selecting Wired (or Wireless) Settings.

network_icon_menu.png

 

Once the Network Settings window pops up, you will see there is a VPN section listed. Click on the + icon to set up a new VPN connection.

network_settings.png

 

Select the Layer 2 Tunneling Protocol (L2TP) VPN type on the modal pop-up window. If L2TP is not listed as an option, please see the first step about installing the required packages.

L2TP.png

 

After selecting the L2TP option, a new modal will pop up titled Add VPN. Fill out the Name, Gateway, User name, and Password fields here.

add_vpn_modal.png

 

Note: To save your password on this screen, you must select the appropriate option from the question mark on the password field.

 

clientVPN_ubu20-04_passStoreOpt.png

 

Next, click on the IPsec Settings button to open the L2TP IPsec Options modal.

ipsec_button.png

 

Once the modal pops up, expand the Advanced options, and enter the following:

Pre-shared key:  Enter the pre-shared key from Security & SD-WAN > Configure > Client VPN
Phase1 Algorithims: aes128-sha1-modp1024,3des-sha1-modp1024!
Phase2 Algorithims: aes128-sha1-modp1024,3des-sha1-modp1024!

 

l2tp_ipsec_options.png

 

Select OK to continue. You will be returned back to the Add VPN modal. Select the PPP Settings button. 

ppp_button.png

On the L2TP PPP Options modal, select only the PAP authentication method. Be sure the other authentication methods are de-selected. All other options can remain as the default. Select OK to continue.

l2tp_ppp_options.png

 

Select Add in the top-right corner of the Add VPN modal to complete the VPN setup.

add_vpn.png

 

Now you may connect your VPN by toggling the button on the Network Settings page:

toggle_vpn.png

 

Or by selecting the Connect option from the top-right-corner menu.

 

toggle_vpn_network_icon.png

 

Upon successful connection, a VPN icon will appear next to the network icon in the status bar.

vpn_connected.png

 

Note: The version of network-manager-l2tp that is installed along with xl2tpd is known to cause issues when connecting to Meraki appliances. To alleviate this, you must disable the xl2tpd service when using the network-manager GUI to connect to a Meraki VPN.

 

To stop the xl2tpd service once, use this Terminal command:

sudo service xl2tpd stop

 

To stop the xl2tpd service for all subsequent reboots, use this Terminal command:

sudo update-rc.d xl2tpd disable

 

 

 

  • Was this article helpful?