I should specify at the outset that this tutorial is designed for the “Meraki Cloud” authentication type with Client VPN configuration from Meraki Dashboard. This article assumes that you already have Client VPN configured in your dashboard and have verified that it’s working, ideally using a different OS’ that’s better supported with Meraki. This Meraki configuration page will be helpful with configuring Windows, macOS, Android, and IOS clients.
If you scroll to the very bottom of that page, you’ll see the following note about Linux.
Since Client VPN uses the L2TP over IPsec standard, any Linux client that properly supports this standard should suffice. Please note that newer versions of Ubuntu do not ship with a VPN client that supports L2TP/IP, and will therefore require a 3rd party VPN client that supports the protocol.
Note: The xl2tp package does not send user credentials properly to the MX when using Meraki Cloud Controller authentication, and this causes the authentication request to fail. Active Directory or RADIUS authentication can be used instead for successful authentication.
This may lead you to believe that you need to set up a separate authentication type (other than Meraki Cloud) to make this work. In a business you should probably already be doing that, but I use my MX appliance at home and I’m the only one who accesses it. Setting up 802.1x or AD just to authenticate would be a pain. So what to do?
Installing the Required Packages
First, we’ll need to install some additional packages to make this work. These are fairly small packages and install very quickly.
sudo apt-get install network-manager-l2tp-gnome network-manager-strongswan libstrongswan-standard-plugins libstrongswan-extra-plugins
At this point you’ll want to reboot. You could try to simply restart Network Manager services, but to rule out headaches, I just restarted.
Configure VPN Connection via Network Manager
In Mint, navigate to Menu > type the word Network > choose Network (not Network Connections) from the results.
Press the + to add Layer 2 Tunneling Protocol (L2TP).
Click Identity.
Name: This doesn’t matter, you can add whatever label you’d like.
Gateway: Meraki MX public DNS name from your Meraki Dashboard. To find this, navigate to Security Appliance > Monitor > Appliance Status – HOSTNAME on the left panel. This will be a unique value on the @dynamic-m.com domain.
Username: Meraki cloud login from Security Appliance > Configure > Client VPN > Email (Username) field.
Password: Choose to store or leave blank to enter each time. If you want to store it, click icon within field to choose which option you’d like.
NT Domain: Leave this blank.
Press the IPSec Settings button.
Check the box next to Enable IPSec tunnel to L2TP host.
Gateway ID: Leave blank.
Pre-Shared Key: PSK as configured in your Meraki Dashboard – Security Appliance > Configure > Client VPN – Secret field.
Phase 1: Type 3des-sha1-modp1024 (case sensitive)
Phase 2: Type 3des-sha1 (case sensitive)
Click Ok to accept the changes.
Press the PPP Settings button.
Keep PAP checked, uncheck all other authentications methods (CHAP, MSCHAP, MSCHAPv2, EAP).
Leave rest at defaults and click Ok to accept the changes.
That’s it! Click Apply and Ok to close the connection creation dialog and you should be able to enable the VPN connection with the switch and connect to your MX appliance. If it doesn’t work, go back and check to ensure that you’ve entered the correct values for the pre-shared secret key, as well as your username and password.
Troubleshooting
If something doesn’t work, or a package or service gets updated and the connection stops working, there are two very powerful resources you can use to view very detailed connection information for the entire VPN connection process, including the Phase 1 and Phase 2 setup procedures between the client and the MX and where the connection succeeds or fails.
On the Mint machine, you can run the following command, and then attempt to connect to the VPN.
sudo journalctl -f
If for whatever reason you need help and have to reach out to either the community or to Meraki, the information that comes out of that log will be invaluable in getting your issue resolved.
The second resource is the Event Log on your Meraki dashboard. This logs all details related to VPN connections and can also be very helpful. To access it, go to Meraki Dashboard > Network Wide > Monitor > Event Log.
If those methods don’t yield enough information, remember that you can do packet captures from the Meraki dashboard, and also packet capture on the Linux side using a tool like Wireshark.
Update: I Ran into an Issue After Rebooting
After rebooting I ran into an issue where the VPN would no longer connect. It would say “Connecting…” but would fail after 30 seconds or so
Phase 1 would establish, but phase 2 would fail. The Meraki log wasn’t much help (note that the chronological order of this output is read bottom-to-top):
Non-Meraki / Client VPN negotiation msg: failed to pre-process ph2 packet (side: 1, status: 1). Non-Meraki / Client VPN negotiation msg: failed to get proposal for responder. Non-Meraki / Client VPN negotiation msg: no policy found: 192.168.162.174/32[0] 75.128.106.171/32[1701] proto=any dir=in Non-Meraki / Client VPN negotiation msg: ISAKMP-SA established 75.128.106.171[4500]-199.7.247.7[4500] spi:244e10084ea3b422:edfc9af6b8c2d84d Non-Meraki / Client VPN negotiation msg: invalid DH group 19.
I checked the journalctl output via the command I described above. Within the journalctl output I found the following:
Aug 27 11:40:37 [hostname] nm-l2tp-service[5889]: Check port 1701 Aug 27 11:40:37 [hostname] nm-l2tp-service[5889]: Can't bind to port 1701
What I found was that a process called xl2tpd was running and using port 1701 even though there were no active VPN connections. I issued this command to stop that service:
sudo systemctl stop xl2tpd
I was then able to connect to the VPN via the Network Manager UI normally.
Thanks to Steve Swiss in the comments for pointing out that the xl2tpd service can be disabled with the following command:
sudo systemctl disable xl2tpd
Conclusion
This process shouldn’t be as difficult as it was to find a working how-to. I’m sure that since only around 1.5% of desktop users use Linux, Meraki themselves has little incentive to keep up with methods on even the most popular distributions. When researching how to do this via the native Network Manager GUI, I ran in to several instances where people who were trying to figure this out basically just gave up and either used other methods to VPN (like OpenVPN), resorted to text-based scripts and config files, or just threw their hands up. I hope this article helps someone. Good luck!
If you enjoyed this tutorial and would like to see more, please feel free to share this article on social media, comment below letting me know what else you’d like to see, and follow me on Twitter @JROlmstead.
Thank your very much sir! It worked like a charm!
Glad I could help!
This is great, thank you very much! BTW, to eliminate having to manually stop xl2tpd each boot, you can just disable the service with `sudo systemctl disable xl2tpd` and you won’t have to stop it each boot. The Meraki VPN does not use that service at all.
Great info, thank you!
Exactly what I needed, worked perfectly. Excellent walkthrough.
This worked on Ubuntu 18.04.2 LTS. Thank you very much. This has been a real struggle for me. I sent this to a friend at Cisco to see if they could add this process to official documentation and get it supported.
Thanks! Didn’t need the extra plugins for Ubuntu 19.04 and I then scratched my head in Linux Mint 19.04 when the same procedure didn’t work there.
Thank your very much. It worked like a charm between my Linux Mint 19.1 notebook and MikroTik router.
Thanks! WIth your help I was able to set VPN connection on Ubuntu 18.04 with i3wm!
For anyone experiencing “PAP authentication failed” error in journalctl: make sure your Linux updates did not leave behind *.secrets file messing up with the auth. In my case, running sudo rm -f /etc/ipsec.d/nm-l2tp-ipsec*.secrets did the trick and connected successfully.
if looking to configue it using the CLI these lines worked for me
for meraki (working jun 2020)
$nmcli connection add connection.id [vpnName] con-name [vpnName] type VPN vpn-type l2tp ifname — connection.autoconnect no ipv4.method auto vpn.data “gateway = [ipv4/domain], ipsec-enabled = yes, ipsec-psk = [PSK], ipsec-ike = 3des-sha1-modp1024, ipsec-esp = 3des-sha1, mru = 1400, mtu = 1400, password-flags = 0, refuse-chap = yes, refuse-mschap = yes, refuse-mschapv2 = yes, refuse-eap = yes, user = [user], password-flags = 1”
To show generated file:
$ sudo nmcli c show id [vpnName]
To start the VPN from cli:
$ sudo nmcli c up [vpnName] –ask
To stop the VPN from cli:
$ sudo nmcli c down [vpnName]
To change other settings
$ sudo /etc/NetworkManager/system-connections/[vpnName]
Credits to
pajafumo
Lkabo
also ran another issue where after trying to create the config using the CLI and failing, I was stuck in phase 1, from meraki’s event log I saw the “msg: invalid DH group 19.” I had to erase all of the following generated files that didn’t get deleted for one reason, From journarctl -f I was able to see an unknown error
/etc/ipsec.d/nm-l2tp-ipsec-33a76ea6-0d47-46a5-8310-01a80de375db.secrets
/etc/ipsec.d/nm-l2tp-ipsec-63c18717-e10e-4777-ba96-60bf94bb42c8.secrets
/etc/ipsec.d/nm-l2tp-ipsec-8c0ee4b9-835c-4872-874f-a39d33fe68bd.secrets
if you want to delete the config that you have had created through cli
to erase
nmcli connection delete [vpnName]