This article outlines the configuration steps necessary to configure Client VPN and establish a connection from a Linux-based client, using Ubuntu as an example.
Note: Depending on the Linux distribution and version used by the client, these exact steps may not apply. Since Client VPN uses the L2TP over IPsec standard, any Linux client that properly supports this standard should suffice. This article details specific configuration steps for Ubuntu Linux 12.04. Please note that newer versions of Ubuntu do not ship with a VPN client that supports L2TP/IP, and will therefore require a 3rd party VPN client that supports the protocol.
Client VPN is enabled from Configure > Client VPN in the dashboard. Once client VPN has been enabled, the user must define a unique Client VPN subnet, a Secret key, and an authentication type. Once these settings have been configured users will be able to create a VPN session to the MX. Please reference the following link for configuring VPN settings on various other operating systems.
For this example, the VPN subnet has been defined as 192.168.11.0/24, a secret key of 'meraki', and Active Directory authentication:
Note: The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication.
Multiple packages exist that allow Linux devices to connect to L2TP/IP VPN. Ubuntu 12.04 supports openswan, the following example configuration uses this software as a reference.
Under the VPN Connections options, create a new VPN connection by clicking add:
In this example the connection is called Meraki_MX. In the IPsec configuration tab, the remote server field is the Internet Port 1 IP address of the MX. A FQDN that resolves to this IP address can also be used. The pre-shared key is the secret key that was defined on the dashboard:
On the PPP configuration tab you will need to deselect everything but PAP authentication and define the username/password of the connecting user:
Note: Despite the "Unencrypted password" label, the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over either the WAN or the LAN.
After installing and configuring the VPN client you can test the connection. Monitor > Event log will show successful event log messages. Here is an example log that shows a working connection:
Jan 1 12:53:24 04:a0:0c:cb:34:29 VPN client connected remote_ip: 126.96.36.199, user_id: test.user, local_ip: 192.168.11.239