Skip to main content

 

Cisco Meraki Documentation

Systems Manager VPN Configurations and Sentry VPN

The purpose of this article is to demonstrate how to configure VPN settings through Systems Manager (SM).

A Virtual Private Network ( or VPN) is used to allow secure, remote connection and access to a network. Systems Manager can be used to automatically push the VPN settings to managed iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices. Within SM, a VPN connection can be configured manually, or with the addition of a MX Security Appliance or Cisco Meraki Concentrator in the same Dashboard organization, configured automatically. Automatically importing the VPN settings from the MX or Concentrator network will not only greatly simplify the configuration process, it will also prevent any typo errors in the VPN settings.

Work Profile cannot be enabled since it will result in this payload not working.

Note: Deploying VPN settings via SM is available for iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices.

More InformationConfiguring client VPN.

More Information: For detailed information on how to create and deploy SM configuration profiles to different groups of managed devices, please consult this article.

Sentry VPN on Meraki MX-Z Devices

Sentry VPN Security allows you to define a tag-scope to receive a Dynamically generated VPN Configuration from the Security appliance > Configure > Client VPN page, and configured by selecting the appropriate tag scoping for your SM devices:

Screen_Shot_2016-06-01_at_2.24.50_PM.png

Sentry Configuration for VPN in Systems Manager

This option uses the Cisco Meraki cloud to automatically configure a VPN connection to a MX Security Appliance or VM Concentrator added in the same Dashboard Organization as the Systems Manager network.

  1. Navigate to the Systems Manager > Manage > Settings page. 
  2. Select the VPN tab.
  3. Configuration: Select Sentry.
  4. Security Appliance: Select the Dashboard network (MX or Concentrator) that contains the desired VPN connection. 
  5. Auth type: If choosing Specify account, a prompt to specify the name of the user account for authenticating the connection will appear. If Use device identity is selected, Dashboard will automatically generate and use unique identifying credentials for each device when connecting to the MX VPN.  
  6. Send All Traffic: Check this flag to send all device traffic through the VPN connection (Optional). 

The following screenshot displays an example of how to set up the Sentry VPN connection:

Screen Shot 2018-04-30 at 5.35.38 PM.png

Manual Configuration

This option allows you to manually configure VPN settings.  The supported and configurable manual VPN protocols are L2TP, PPTP, IPsec (Cisco), and Cisco AnyConnect.  

  1. Navigate to the Systems Manager > Manage > Settings page. 
  2. Select the VPN tab. 
  3. Configuration: Choose Manual.
  4. Connection Name: Input a name for the VPN connection that will be displayed on the iOS device. 
  5. Connection Type: Select either L2TP, PPTP, or IPsec (Cisco). 
  6. Sever: Input the public IP address of the VPN server. 
  7. Shared Secret (L2TP Only): Input the shared secret for the VPN connection.
  8. User Authentication: Select the user authentication method. Choosing Password allows the device user to be prompted for a password when using the VPN connection. 
  9. Account: Specify the name of the user account used for authenticating the connection (e.g., DOMAIN\username, or username@domain.tld). 
  10. Group Name (AnyConnect Only): Specifies the group in which the AnyConnect Account resides).  
  11. Send All Traffic: Check this flag to send all device traffic through the VPN connection (Optional). 
  12. Proxy Setup: Configure a proxy to be used with the connection (Optional).  

The following screenshot displays an example of how to setup the Manual VPN connection. Settings vary depending on the VPN connection type.

Screen Shot 2018-05-04 at 3.23.44 PM.png

 

Systems Manager can be used to push VPN configuration settings to remotely managed iOS, macOS, Windows 10, and Samsung KNOX enabled Android devices.  Adding a MX or Concentrator network to the Dashboard Organization can greatly simplify the configuration process by importing the VPN settings, and automatically updating them if any changes are made. Once the managed devices are able to check-in with SM, the VPN connection profile payload will install and be available for the device user to select.

Cisco AnyConnect and AnyConnect Legacy 

When selecting the Cisco AnyConnect connection type, a certificate will be required to be uploaded. This certificate can be exported from the VPN endpoint device and uploaded to dashboard after clicking on the "Add Credentials" option. This client device certificate would be generated and exportable from the AnyConnect endpoint after the certificate signing request (CSR) is completed and signed by the certificate authority (CA). 

b77d844f-3ccf-45b3-ba40-b0496376ef67.png

  • Was this article helpful?