Client VPN OS Configuration

To configure an iOS device to connect to the client VPN, follow these steps:

1. Navigate to Settings > General > VPN & Device Management > VPN > Add VPN Configuration
2. Type: Set to L2TP
3. Description: This can be anything you want to name this connection, for example, "Work VPN"
4. Server: Enter the hostname (for example: abcd.com) or the active WAN IP (for example: a.b.c.d)
   • Hostname is preferred to improve reliability during WAN failover
   • This information is located in the Meraki dashboard under Security & SD-WAN > Monitor > Appliance status
5. Account: Enter the username
6. Password: Enter if desired
   • If the password is left blank, it will need to be entered each time the device attempts to connect to the client VPN
7. Secret: Enter the shared secret that admin created in Security & SD-WAN > Configure > Client VPN
8. Ensure that Send All Traffic is set to on
9. Save the configuration

To configure a macOS device to connect to client VPN, see Set up a VPN connection on Mac in Apple Support.

The following VPN information is needed:

• Display Name: This can be anything you want to name this connection, for example, "Work VPN"
• Server Address: Enter the hostname (for example: abcd.com) or the active WAN IP (for example: a.b.c.d)
  • Hostname is preferred to improve reliability during WAN failover
  • This information is located in the Meraki dashboard under Security & SD-WAN > Monitor > Appliance status
• Account Name: Enter the account name of the user (based on AD, RADIUS, or Meraki cloud authentication)
• Password: User password (based on AD, RADIUS or Meraki cloud authentication)
• Machine Authentication > Shared Secret: Enter the shared secret that admin created in Security & SD-WAN > Configure > Client VPN 

The following authentication methods are supported:

• User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
• Machine authentication: Pre-shared keys

When using Meraki-hosted authentication, the VPN account and username setting is the user email address entered in the Meraki dashboard.

The following VPN information is needed to complete the setup:

• VPN provider: Set to Windows (built-in)
• Connection name: This can be anything you want to name this connection, for example, "Work VPN"
• Server name or address: Enter the hostname (for example: abcd.com) or the active WAN IP (for example: a.b.c.d)
  • Hostname is preferred to improve reliability during WAN failover
  • This information is located in the Meraki dashboard under Security & SD-WAN > Monitor > Appliance status
• VPN type: Select L2TP/IPsec with pre-shared key
• User name and Password: optional

After the VPN connection has been created, set the Authentication protocols:

1. Choose the VPN connection and then select Advanced options > Adapter Settings. Note: Alternatively, run ncpa.cpl directly from Search or Command prompt to quickly access your VPN adapters.
2. In the Security tab, select Require encryption (disconnect if sever declines) under Data encryption
3. Under Authentication select Allow these protocols and select Unencrypted password (PAP)
4. Verify that no other protocols are selected

 

 

Passwords sent over an IPsec tunnel between the client device and the MX are always encrypted, even when using PAP authentication protocols. The password is fully secure and never sent in clear text over the WAN or the LAN.