Dec 262017
 

We recently had the need to establish a Site to Site VPN connection with our Meraki MX65w security appliance.  Meraki security appliances have the option to establish a Site to Site VPN connection to other security appliances as well as other third-party routers.  In our scenario, we successfully configured a connection between our security appliance and a Cisco RV325.  Configuring the Site to Site VPN on the security appliance is well documented by Meraki.  This documentation can be found in the link below.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings

Unfortunately, there is no documentation with configuring this connection specifically with a Cisco RV325.  Our initial attempts were unsuccessful and upon examining the logs we found we kept receiving the same error message “phase 1 failed due to time up.”  Upon researching into this error, we stumbled upon documentation from Meraki entitled “Troubleshooting Site to Site VPN Connections with Non-Meraki Peers” (link below).

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Troubleshooting_Non-Meraki_Site-to-site_VPN_Peers

This article had a description of the error messages and a proposed solution.  Unfortunately for us, the solution provided for our problem was generic and not very useful.  As a result, it forced us to escalate this issue with Meraki support and do a scheduled call.  Meraki support had access to our cloud configuration and could troubleshoot the issue by examining logs and performing a packet capture on the inbound traffic to our MX65w.  The support was very useful and we had the issue resolved very promptly.

Below are our settings for a successful Site to Site VPN connection between these two devices.

The Meraki Mx65w provides the ability to pass multiple subnets over the VPN which can be configured with the Use VPN yes/no drop down menu.  In our scenario, we are only passing through one subnet.

By default, both devices allow all traffic over the VPN unless configured otherwise.  Meraki does not allow the configuration of inbound firewall rules over the VPN and allows all traffic.  Hopefully this feature will be allowed in the future as sometimes you might not have access to both devices and only want to allow certain inbound traffic through the VPN.  With the current inbound allow all rule inbound rules would have to be done on all clients.

 Posted by at 9:54 am
May 122017
 

We recently replaced our existing router with a Meraki MX65w Security Appliance.  While Meraki does have multi-factor authentication to log into the cloud controller, we were disappointed to find out that they do not have multi-factor authentication for client VPN.  However, there are third-party solutions that can be used to provide multi-factor authentication for client VPN.  These third-party solutions can be found on Meraki’s website below.

https://documentation.meraki.com/MX-Z/Client_VPN/Using_Two-Factor_Auth_with_Client_VPN

We chose to use Windows Azure Multi-Factor Authentication (Azure MFA) Server.  The Azure MFA Server is installed on a Windows 2012 Server acting as a Domain Controller.  Unfortunately, the set-up and configuration of Azure MFA with Meraki Security Appliance is not well documented.  Below are some useful tips from our experience with setting this up.

  • By default, the Client VPN timeout on the Meraki Security Appliances is 15 seconds. For there to be enough time for the authentication to complete this must be extended.  To extend this you will have to open a support case via the Meraki dashboard and ask to have it extended.  Azure recommends this being at least 60 seconds.
  • Logging is very important. Both the Meraki Security Appliance and the Azure MFA server have the capability to configure syslogs.  This is very useful as it shows the communication between the two devices and can help pinpoint where the issue lies.  Below is a copy of our logs once we had this set-up properly.

  • Be persistent and know when to walk away and take a break.

Hope these tips help!

 Posted by at 3:52 pm