Meraki Client VPN – PowerShell Deployment

Below you will find an PowerShell script I have previous used to deploy a Meraki Client L2TP VPN connection. It should work for any L2TP connection.

Steps on how to configure Client VPN on the MX appliance and manual client deployment can be found within the Meraki documentation https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview

Once your appliance is configured you will need to change the five variables at the top of the script

$ServerAddressPrimary – Your Client VPN “Shared secret”, found under Security & SD-WAN => Client VPN on Meraki

$ServerAddressPrimary – Your MX appliances external IP address or DNS name found under Security & SD-WAN => Appliance Status => Uplink on Meaki

$ConnectionNamePrimary – The connection name that will be clicked on the client when connecting.

$DNSSuffix – Your internal network DNS suffix i.e. your domain name. Found by running ipcofig /all against Primary Dns Suffix on a domain joined computer.

$ClientVPNIPRange – The script will remove and re-add the connection if it already exists, this variable is used to check if any of the clients current IP addresses match the range issued by the your Meraki Client VPN. We can’t remove a connection if we are already connected. Security & SD-WAN => Client VPN => Subnet This is wildcard search, so for example if your Client VPN Subnet was set to 10.65.0..0/24 on Meraki within the script you could use “10.65.0.*” to match any IP addresses starting with 10.65.0.

$PresharedKeyPrimary = "Shared Secret" # Your Client VPN Shared Secret
$ServerAddressPrimary = "your mx" # You MX external IP or DNS name
$ConnectionNamePrimary = "Meraki VPN" # The name of the VPN connection that will appear on the client
$DNSSuffix = "internal dns suffix" # mydomain.com for eample
$ClientVPNIPRange = "10.65.0.*" # A wildcard * match for client IP

# Check the clients currently IP addresses to make sure we are not already connected to the network issued by Meraki VPN
$AreWeConnected = Get-NetIPAddress | Where-object { $_.IPAddress -Like "$ClientVPNIPRange"}

if ($AreWeConnected)
{
	exit 200
} else {

	# Remove the connection if it already exists
	try 
	{
		Remove-VpnConnection -Name "$ConnectionNamePrimary" -AllUserConnection -Force -ErrorAction Stop 
	}
	catch
	{
		write-host "The connection " $ConnectionNamePrimary " did not already exist"
	}

	# Add the connection
	Add-VpnConnection -Name "$ConnectionNamePrimary" -ServerAddress "$ServerAddressPrimary" -AllUserConnection -TunnelType L2tp -L2tpPsk "$PresharedKeyPrimary" -IdleDisconnectSecond 14400 -AuthenticationMethod Pap -SplitTunneling -DnsSuffix $DNSSuffix -Force

	# AssumeUDPEncapsulationContextOnSendRule
	#  https://documentation.meraki.com/MX/Client_VPN/Guided_Client_VPN_Troubleshooting
	$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent"
	$Name = "AssumeUDPEncapsulationContextOnSendRule"
	$value = "2"

	If(!(Test-Path $registryPath))
	{
		New-Item -Path $registryPath -Force | Out-Null
		New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
	} else {
		New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
	}
	
	exit 0
}

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Pin It on Pinterest

Share

Please consider sharing.