Step 2: Claim the Non-Meraki VPN Hub MX & Create Network. In the new non-Meraki VPN organization, claim the new MX hardware using serial number or order number. Add the newly claimed MX appliance to a new network. Step 3: Configure the Non-Meraki IPSec VPNs. Navigate to Security Appliance Configure Site-to-site VPN page and set the Type to Hub. This is the line that I use for my Meraki Client VPN. It does have to be run with admin credentials for -AllUserConnection to work. Your add-vpnconnectionroute lines should have an -AllUserconnection argument as well.
Recovering Access to Accounts Protected by Two-Factor Authentication
Two Factor Authentication (TFA) is an important security mechanism, and cannot be disabled by Cisco Meraki without positively identifying the account owner. There are two methods available to ensure access is not lost: a backup phone number (with SMS auth), and a list of one-time codes (with Google Authenticator).
The two methods above are the primary options for disabling or temporarily bypassing two-factor authentication. If these methods cannot be utilized for any reason, the only alternative is to provide proof of identity after contacting Cisco Meraki Technical Support. There are two methods to request removal of SMS and Google Authentication for TFA.
Please note that 2FA removal requests cannot be resolved via our support phone lines. 2FA disablement needs to be requested and processed by the admin email that needs assistance via a Meraki case for security purposes. See steps on recovering access below.
Method 1:
- Open a case by emailing licensing@meraki.com.
- This email must be sent from the email address of the account TFA is to be disabled on.
- It must include the full name of the organization that the account resides in. - A second organization administrator must comment on the case through Dashboard granting approval to disable TFA on the account.
- Email or phone approval is not acceptable for this. The approval must come as a comment on the case.
- This permission can be granted only by an organization administrator with Full access.
Method 2:
Alternatively, if a second organization administrator with full access does not exist or is otherwise unavailable:
- Open a case by emailing licensing@meraki.com.
- This email must be sent from the email address of the account TFA is to be disabled on. - Once in communication with a Cisco Meraki Support Specialist, explain that TFA needs to be disabled for the account and provide the requested documentation.
- The Support Operations Specialist will request more information about the organization and its contents and settings to verify the validity of the request.
- Once this step has been completed, a Cisco Meraki Support Specialist will provide you a document which must be signed, notarized, and mailed to Cisco Meraki Headquarters (address found below).
- When this is received by support, it will then be scanned and attached to the case before TFA is disabled.
- It is strongly recommended to send this letter with tracking, in case of postal issues.
- Unless otherwise specified by the Support Ops Team, use the following address format:
Cisco Meraki- Support Operations
500 Terry A Francois Blvd
4th Floor, C/O [SUPPORT OPS SPECIALIST'S NAME]
San Francisco, CA 94158
Cisco Meraki uses the integrated Windows client for VPN connection (no Cisco client at this time).
To be able to connect with simple AD user account credentials, along with a simple pre-shared key, the steps are very simple.
9 Steps total
Step 1: Get started
Click on Start and type in VPN, click on Change Virtual Private Networks (VPN)
Step 2: Add connection
Click on Add a VPN connection
Step 3: Configure Windows connection
Meraki Vpn Split Tunnel
Pick VPN provider as Windows
Name the connection
Put in server name or IP
Switch VPN type to L2TP/IPsec with pre-shared key
Switch Type of sign in to User name and password
Enter the username and password if you want to save it, or leave blank and user will have to enter it on connection
Hit Save
Step 4: Edit settings
Once you hit Save, it will bring you back to the connection page
Click on Change Adapter Options
Step 5: Configure adapter
In the adapter window, click on the adapter with the name you created in the VPN window
Click on Change settings of this connection
Step 6: Step 6
Click on Security tab
Make sure Type of VPN is still Layer 2 Tunneling Protocol with IPsec
Set Data encryption to Require encryption (disconnect if server declines)
Set Allow these protocols
Check Unencrypted password (PAP) - will still be, so don't worry
Click Advanced settings
Step 7: Add key
In the Advanced settings, click on Use preshared key
Type in the key you want to use
Hit OK to go back to the adapter settings
Click OK to close the adapter settings and save.
Close all other windows at this point.
Cisco Meraki Client Vpn Setup
Step 8: Connect
Connect ...
Click on the network icon in the system tray
Click on the VPN network connection name
Click on Connect
Step 9: Verify and disconnect
Verify you are connected
Click on the network system tray icon again if the window closed or minimized
You should now see the VPN network name listed and Connected underneath it
(If you are done with your connection, click on it and click Disconnect)
Now and then Windows Updates breaks the encryption settings by changing from PAP to MS-CHAP. If users could connect before, but suddenly can't while others can, revisit Step# 6 and verify PAP is turned on, not MS-CHAP. Save and all set!
8 Comments
Meraki Client Vpn Setup
- ChipotleBMG_Zone Jun 20, 2018 at 12:42pm
I have a customer who is stating:
We've run into a weird problem where the built in Windows 10 vpn gets its settings changed whenever the wifi network changes. We have consultants who travel to various client sites and every time they try to connect to our vpn server they have to fix their vpn settings. The company we had hired to set up our vpn server said they can't help us with this, probably because it's a Windows issue
Any Ideas?
- HabaneroKrasimirPetrov_ Oct 31, 2018 at 02:46am
Good read. Thank you very much for sharing.
Excellent tutorial - SonoraLRSpartan Jan 8, 2019 at 04:49pm
We have been trying to overcome the same problems with MX64 and making an outbound rule entry in Windows Defender Firewall is what helped us. We had performed all the other instructions Meraki and MSFT had provided including the regedit (asumeUDPEncap...).
We created a UDP port rule for 500, 4500 and scoped it to our vpn IP address. Finally works.
I hope this helps.
- Pimientoericguth2 Jan 28, 2020 at 09:00am
LRSpartan - are you saying that you port forward UDP 500 and 4500 to your VPN range 192.168.XXX.00/24?
- PoblanoAaronTheYoung Feb 3, 2020 at 08:15pm
We are constantly plagued by our VPN connection losing its settings as well. I'm not sure if this it relates to change in WiFi, but the people that it occurs with do seem to be people that change WiFi often. Others who are using it from one network at home seem to not have the issue.
In any case, I am constantly connecting to users who are remote and fixing their settings. Either resetting their Username and Password settings or fixing the PAP/CHAP protocol settings.
Is there a way to use the Powershell command ADDVPNConnection to create a script that would re-create the settings in one fell swoop?
Any help would be appreciated.
- Datiltroberts2 Mar 4, 2020 at 08:22pm
We have seen those same settings and we hear there may be a Meraki VPN Client or Cisco AnyConnect Client that is Meraki compatible in the near future, but that has also been ongoing for like 3 to 4yrs now. Once it comes out, should be a moot point on Microsponge changing your settings. I have seen the same issue though, seems to be mostly tied to Microsoft and the firewall flipping the network to public and effectively blocks like everything so you can't connect. Only way we have gotten it to work is when on that network, switch it from Public to Private, reboot the machine and possibly also the network router you are using and then it works, and yes you are sharing when connected initially to that network, but once on the VPN, tunneled into your network and secure again. Fingers X'd on the client coming out vs WinDoze client.
- Pimientospicehead-hu3x0 Apr 14, 2020 at 06:09pm
The Dreytek VPN client works for the meraki, I hope Cisco comes out with their own soon.
- Jalapenobranchms Jan 21, 2021 at 10:04pm
I'm having nothing but trouble getting this to connect.
Using windows 10 and Meraki MX64.Can you suggest a resolution?