OS Client VPN Setup

OS Client VPN Setup

Client VPN OS Configuration

This article outlines instructions to configure a client VPN connection on commonly used operating systems. For more information about client VPN, please refer to our Client VPN Overvi documentation.

For troubleshooting, please refer to our Troubleshooting Client VPN documentation.

Android

Note: Support for L2TP/IPsec VPNs was deprecated on Android devices as of Android 12. Existing configurations on devices will still work, but there is no current way to set up a Client VPN connection on new devices without a pre-existing one.

To configure an Android device to connect to the client VPN, follow these steps:

  • Navigate to Settings > Wireless & Networks > VPN
  • Click the plus icon to add an additional VPN profile

Screenshot_2015-08-15-10-47-59-2.png

  • Name: This can be anything you want to name the connection, for example, "Work VPN"

  • Type: select L2TP/IPSEC PSK

  • Server address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security appliance > Monitor Appliance status.

  • IPSec preshared key: Enter the preshared key that admin created in Security appliance > Configure > Client VPN settings.

  • Click save

Screenshot_2015-08-15-10-49-38.png

 

 

You will be prompted for user credentials when you connect.

Screenshot_2015-08-15-10-50-34.png

 

 

Chrome OS

Chrome OS-based devices can be configured to connect to the client VPN feature on MX security appliances. This allows remote users to securely connect to the LAN. This article will cover how to configure the VPN connection on a Chrome OS device. For more information on how to set up the client VPN feature of the MX, or how to connect from other operating systems, please visit the Client VPN Overview documentation.
 

  1. If you haven't already, sign in to your Chromebook.
  2. Click the status area at the bottom of your screen where your account picture is located.
  3. Select Settings.
  4. In the Internet connection section, click Add connection.
  5. Select Add private network.
  6. In the box that appears, fill in the information below:
    1. Server hostname: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in dashboard under Security appliance > Monitor Appliance status.
    2. Service name: This can be anything you want to name this connection, for example, "Work VPN"
    3. Provider type: Select L2TP/IPsec + Preshared key.
    4. Pre-shared key: Enter the shared secret that admin created in Security appliance > Configure Client VPN settings.
    5. Username: Credentials for connecting to VPN. If using Meraki authentication, this will be an e-mail address.
    6. Password: Credentials for connecting to VPN.
  7. Click Connect.

For more information regarding the configuration of VPN connections in Chrome OS, visit the Google Support page.

 

iOS

To configure an iOS device to connect to the client VPN, follow these steps:

  1. Navigate to Settings > General VPN > Add VPN Configuration.
  2. Type: Set to L2TP.
  3. Description: This can be anything you want to name this connection, for example, "Work VPN".
  4. Server: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security appliance > Monitor Appliance status
  5. Account: Enter the username.
  6. Password: Enter if desired. If the password is left blank, it will need to be entered each time the device attempts to connect to the client VPN.
  7. Secret: Enter the shared secret that admin created in Security appliance > Configure Client VPN settings.
  8. Ensure that Send All Traffic is set to on.
  9. Save the configuration.

unnamed.png

 

macOS

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (e.g. shared secret)

When using Meraki-hosted authentication, the VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard. 

The instructions below are tested on Mac OS 10.7.3 (Lion).

Open System Preferences > Network from the Mac applications menu. Click the "+" button to create a new service, select VPN as the interface type, and choose L2TP over IPsec from the pull-down menu.

  • Server Address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security appliance > Monitor Appliance status.
  • Account Name: Enter the account name of the user (based on AD, RADIUS, or Meraki cloud authentication).
image2012-3-9 8-19-16.png
 
 
Click Authentication Settings and provide the following information:
  • User Authentication > Password: User password (based on AD, RADIUS or Meraki cloud authentication).
  • Machine Authentication > Shared Secret: Enter the shared secret that admin created in Security appliance > Configure Client VPN settings.
image2012-3-2 9-28-16.png
 
 
Click OK to go back to the main VPN settings page, then click Advanced and enable the Send all traffic over VPN connection option.

image2012-3-1 15-21-49.png

The VPN connectivity will not be established if you don't enable the Send all traffic over VPN connection option.

 

 

 

 

Windows 7

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (e.g. shared secret)

When using Meraki-hosted authentication, the VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard. 

 

Open Start Menu > Control Panel, click on Network and Internet, click on View network status and tasks.

image2012-3-1 15-33-9.png

 

 

In the Set up a connection or network pop-up window, choose Connect to a workplace (set up a dial-up or VPN connection to your workplace).

image2012-3-1 15-33-43.png

 

 

Choose Use my Internet connection (VPN) in the Connect to a workspace dialog window.

image2012-3-1 15-34-39.png

 

 

In the Connect to a Workplace dialog box, enter:

  • Internet address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP  because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security appliance > Monitor Appliance status.
  • Destination name: This can be anything you want to name this connection, for example, "Work VPN".

image2012-3-1 15-37-51.png

 

Choose Don't connect now; just set it up so that I can connect later.

 

 

Click Next. In the next dialog window, enter the user credentials, and click Create.

image2012-3-1 15-39-25.png
 
 
Close the VPN connection wizard.
image2012-3-8 11-31-2.png
 
 
Go to Networking and Sharing Center and click Change Adapter Settings
image2012-3-8 11-33-20.png
 
 
In the Network Connections window, right-click on the new VPN connection settings and choose Properties.
vpn properties.png
 
 
In the General tab, verify the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security appliance > Monitor Appliance status.
image2012-3-8 11-37-28.png
 
 
In the Options tab, uncheck Include Windows logon domain.
image2012-3-8 11-37-49.png
 
 
In the Security tab, choose Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
Check Unencrypted password (PAP), and uncheck all other options.
image2012-3-8 11-40-48.png
Click on Advanced settings.
 

Despite the name "Unencrypted PAP," the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over the WAN or the LAN.

 

In the Advanced Properties dialog box, choose Use preshared key for authentication and enter the preshared key that admin created in Security appliance > Configure Client VPN settings.
Click OK.
image2012-3-8 11-40-26.png
 
 
At the Network Connections window, right-click on the VPN connection and click Connect.
connect.png
 
Verify your username and click Connect.
image2012-3-9 11-41-20.png
 
 
 

Windows 8

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (a.k.a. shared secret)

When using Meraki-hosted authentication, the VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard. 

 

Open Start Menu > Network and Sharing Center and click Settings.

network_sharing_center.png

 
 
In the Network and Sharing Center, click Set up a new connection or network.
setup_network_connection.png

 

 

In the Set Up a Connection or Network pop-up window, choose Connect to a workplace.
(Set up a dial-up or VPN connection to your workplace)

connect_to_a_workplace.png

 

 

Choose Use my Internet connection (VPN), in the Connect to a Workspace dialog window.

vpn_connection.png

 

 

In the Connect to a Workplace dialog box, enter:

  • Internet address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security appliance > Monitor Appliance status.
  • Destination name: This can be anything you want to name this connection, for example, "Work VPN".
Click Create.
enter_IP.png

 

 

Go back to Network and Sharing Center and click Change Adapter Settings.

change_adapter_settings.png
 
 
In the Network Connections window, right-click on the VPN connection icon and choose Properties.
properties.png
 
 
In the General tab, verify the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover. Admin can find them in the dashboard under Security appliance > Monitor Appliance status.
general_tab.png
 
 
In the Security tab, choose Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec).
Check Unencrypted password (PAP) and uncheck all other options.
l2tp_ipsec_vpn.png
 
Click on Advanced settings.

Despite the name "Unencrypted PAP," the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over the WAN or the LAN.

 

 

In the Advanced Properties dialog box, choose Use preshared key for authentication and enter the preshared key that admin created in Security appliance Configure > Client VPN settings.
Click OK.
 
advanced_settings.png
 
 
Back at the Network Connections window, right-click on the VPN connection and click Connect / Disconnect.
connect-1.png
 
 
Find your VPN profile and click Connect.
connect_to_vpn.png
 
 
Enter your username and password.
Click OK.
enter_credentials.png
 
 
 

Windows 10

Currently, only the following authentication mechanisms are supported:

  • User authentication: Active Directory (AD), RADIUS, or Meraki-hosted authentication
  • Machine authentication: Preshared keys (e.g. shared secret)

When using Meraki-hosted authentication, VPN account/username setting on client devices (e.g. PC or Mac) is the user email address entered in the dashboard.

 

Open Start Menu > Search "VPN" > Click Change virtual private networks (VPN)

W10-CVPN-1.png

 

From the VPN settings page, click Add a VPN connection.

W10-CVPN-2.jpg

 

In the Add a VPN connection dialog:

  • VPN provider: Set to Windows (built-in)
  • Connection name: This can be anything you want to name this connection, for example, "Work VPN"
  • Server name or address: Enter the hostname (e.g. .com) or the active WAN IP (e.g. XXX.XXX.XXX)Hostname is encouraged instead of active WAN IP because it is more reliable in cases of WAN failover; admin can find them in the dashboard under Security appliance > Monitor Appliance status
  • VPN type: Select L2TP/IPsec with preshared key
  • User name and Password: optional

Press Save.

win10vpn.png

 

 

After the VPN connection has been created, click Change adapter options under Related settings.

W10-CVPN-4.png

 

 

Right-click on VPN Connection from the list of adapters and click Properties.

W10-CVPN-5.png

 

 

In the Security tab, select Require encryption (disconnect if sever declines) under Data encryption.
Then, select Allow these protocols under Authentication. From the list of protocols, check Unencrypted password (PAP), and uncheck all other options.
W10-CVPN-6.png
 
Click on Advanced settings.
 

Despite the name "Unencrypted PAP", the client's password is sent encrypted over an IPsec tunnel between the client device and the MX. The password is fully secure and never sent in clear text over the WAN or the LAN.

 

 

In the Advanced Properties dialog box, choose "Use preshared key for authentication" and enter the preshared key that admin created in Security appliance > Configure > Client VPN settings.

W10-CVPN-7.png

 

 

Back at the Network Connections window, right-click on the VPN connection and click Connect / Disconnect.

W10-CVPN-8.png

 

 

Find your VPN profile and click Connect.

W10-CVPN-9.png

 

 

Enter your username and password.
Click OK.

W10-CVPN-10.png

 


    • Related Articles

    • QoS Implementation for MS Teams Voice

      Quality of Service (QoS) in Microsoft Teams allows real-time network traffic that's sensitive to network delays (for example, voice or video streams) to "cut in line" in front of traffic that's less sensitive (like downloading a new app, where an ...

    • Windows System Image Backup/Recovery

      How to create a backup with system image tool on Windows 10 The system image tool allows you to create a full backup to an external drive or network shared folder. However, it is best to use removable storage, which you can then disconnect and store ...

    • ESXi Windows Server Boot Error

      After February 2023 Windows update, KB5022842, a reboot of the VM results in the following boot error. Uninstalling this windows patch WILL NOT resolve this error. VMware has posted the following article in relation to this error; Virtual Machine ...

    • Security Appliance High Availability Configuration

      High Availability with More Than Two Physical WAN Uplinks Although only two active uplinks are supported at a time on an active/primary MX, additional uplinks should be utilized for tertiary failover on the secondary MX. One or two additional uplinks ...