Configuring Meraki Client VPN on Linux Mint 19 (Network Manager)
I should specify at the outset that this tutorial is designed for the “Meraki Cloud” authentication type with Client VPN configuration from Meraki Dashboard. This article assumes that you already have Client VPN configured in your dashboard and have verified that it’s working, ideally using a different OS’ that’s better supported with Meraki. This Meraki configuration page will be helpful with configuring Windows, macOS, Android, and IOS clients.
If you scroll to the very bottom of that page, you’ll see the following note about Linux.
Since Client VPN uses the L2TP over IPsec standard, any Linux client that properly supports this standard should suffice. Please note that newer versions of Ubuntu do not ship with a VPN client that supports L2TP/IP, and will therefore require a 3rd party VPN client that supports the protocol.
Note: The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication.
This may lead you to believe that you need to set up a separate authentication type (other than Meraki Cloud) to make this work. In a business you should probably already be doing that, but I use my MX appliance at home and I’m the only one who accesses it. Setting up 802.1x or AD just to authenticate would be a pain. So what to do?
Installing the Required Packages
First, we’ll need to install some additional packages to make this work. These are fairly small packages and install very quickly.
sudo apt-get install network-manager-l2tp-gnome network-manager-strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins
At this point you’ll want to reboot. You could try to simply restart Network Manager services, but to rule out headaches, I just restarted.
Configure VPN Connection via Network Manager
In Mint, navigate to Menu > type the word Network > choose Network (not Network Connections) from the results.
Press the + to add Layer 2 Tunneling Protocol (L2TP).
Name: This doesn’t matter, you can add whatever label you’d like.
Gateway: Meraki MX public DNS name from your Meraki Dashboard. To find this, navigate to Security Appliance > Monitor > Appliance Status – HOSTNAME on the left panel. This will be a unique value on the @dynamic-m.com domain.
Username: Meraki cloud login from Security Appliance > Configure > Client VPN > Email (Username) field.
Password: Choose to store or leave blank to enter each time. If you want to store it, click icon within field to choose which option you’d like.
NT Domain: Leave this blank.
Press the IPSec Settings button.
Check the box next to Enable IPSec tunnel to L2TP host.
Gateway ID: Leave blank.
Pre-Shared Key: PSK as configured in your Meraki Dashboard – Security Appliance > Configure > Client VPN – Secret field.
Phase 1: Type 3des-sha1-modp1024 (case sensitive)
Phase 2: Type 3des-sha1 (case sensitive)
Click Ok to accept the changes.
Press the PPP Settings button.
Keep PAP checked, uncheck all other authentications methods (CHAP, MSCHAP, MSCHAPv2, EAP).
Leave rest at defaults and click Ok to accept the changes.
That’s it! Click Apply and Ok to close the connection creation dialog and you should be able to enable the VPN connection with the switch and connect to your MX appliance. If it doesn’t work, go back and check to ensure that you’ve entered the correct values for the pre-shared secret key, as well as your username and password.
If something doesn’t work, or a package or service gets updated and the connection stops working, there are two very powerful resources you can use to view very detailed connection information for the entire VPN connection process, including the Phase 1 and Phase 2 setup procedures between the client and the MX and where the connection succeeds or fails.
On the Mint machine, you can run the following command, and then attempt to connect to the VPN.
sudo journalctl -f
If for whatever reason you need help and have to reach out to either the community or to Meraki, the information that comes out of that log will be invaluable in getting your issue resolved.
The second resource is the Event Log on your Meraki dashboard. This logs all details related to VPN connections and can also be very helpful. To access it, go to Meraki Dashboard > Network Wide > Monitor > Event Log.
If those methods don’t yield enough information, remember that you can do packet captures from the Meraki dashboard, and also packet capture on the Linux side using a tool like Wireshark.
Update: I Ran into an Issue After Rebooting
After rebooting I ran into an issue where the VPN would no longer connect. It would say “Connecting…” but would fail after 30 seconds or so
Phase 1 would establish, but phase 2 would fail. The Meraki log wasn’t much help (note that the chronological order of this output is read bottom-to-top):
Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1). Non-Meraki / Client VPN negotiation msg: failed to get proposal for responder. Non-Meraki / Client VPN negotiation msg: no policy found: 192.168.162.174/32 22.214.171.124/32 proto=any dir=in Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established 126.96.36.199-188.8.131.52 spi:244e10084ea3b422:edfc9af6b8c2d84d Non-Meraki / Client VPN negotiation msg: invalid DH group 19.
I checked the journalctl output via the command I described above. Within the journalctl output I found the following:
Aug 27 11:40:37 [hostname] nm-l2tp-service: Check port 1701 Aug 27 11:40:37 [hostname] nm-l2tp-service: Can't bind to port 1701
What I found was that a process called xl2tpd was running and using port 1701 even though there were no active VPN connections. I issued this command to stop that service:
sudo systemctl stop xl2tpd
I was then able to connect to the VPN via the Network Manager UI normally.
This process shouldn’t be as difficult as it was to find a working how-to. I’m sure that since only around 1.5% of desktop users use Linux, Meraki themselves has little incentive to keep up with methods on even the most popular distributions. When researching how to do this via the native Network Manager GUI, I ran in to several instances where people who were trying to figure this out basically just gave up and either used other methods to VPN (like OpenVPN), resorted to text-based scripts and config files, or just threw their hands up. I hope this article helps someone. Good luck!