VPN Configuration Guide

Cisco Meraki
© 2017 equinux AG and equinux USA, Inc. All rights reserved.

Under copyright law, this manual may not be copied, in whole or in part,
without the written consent of equinux AG or equinux USA, Inc. Your rights
to the software are governed by the accompanying software license
agreement.

The equinux logo is a trademark of equinux AG and equinux USA, Inc., regis-
tered in the U.S. and other countries. Other product and company names
mentioned herein may be trademarks and/or registered trademarks of their
respective companies.

equinux shall have absolutely no liability for any direct or indirect, special or
other consequential damages in connection with the use of this document
or any change to the router in general, including without limitation, any lost
profits, business, or data, even if equinux has been advised of the possibility
of such damages.

Every effort has been made to ensure that the information in this manual is
accurate. equinux is not responsible for printing or clerical errors.

Revised 21 December 2016

www.equinux.com

2
Contents
Introduction ....................................................................................4
My VPN Gateway Configuration ................................................5
Task 1 – Cisco Configuration ......................................................6
Task 2 – VPN Tracker Configuration ..........................................8
Task 3 – Test the VPN Connection ...........................................10
Appendix .......................................................................................12
Remote DNS Setup .....................................................................12
Host to Everywhere ....................................................................14

3
Introduction VPN Tracker Configuration
In the second part of this guide, we’ll show you how to configure VPN Tracker
This configuration guide will help you connect VPN Tracker to to easily connect to your newly created VPN.
your Cisco Meraki VPN Gateway.
Appendix
Prerequisites The remainder of the guide covers advanced setups, such as Remote DNS.

Your VPN Gateway Conventions Used in This Document

‣ Make sure you have installed the latest firmware updates on your Cisco
Meraki gateway, to ensure that you have all security updates.
‣ This guide is a supplement to the documentation included with your Cisco
device, so check the Cisco manual for additional setup information not
covered here.
Links to External Websites
Sometimes you will be able to find more information on external websites.
Clicking links to websites will open the website in your web browser:
http://equinux.com

Links to Other Parts of this Guide

Your Mac
A → Link will take you to another place in the configuration guide. Simply
‣ The configuration described in this guide requires VPN Tracker 365. Make
click it if you are reading this guide on your computer.
sure you have installed all available updates. The latest VPN Tracker updates
can be downloaded from http://www.vpntracker.com

Using the Configuration Guide

Cisco Configuration
This Guide will walk you through setting up a VPN tunnel on your Meraki
gateway.

If you are setting up VPN on your Cisco for the first time, we
strongly recommend you keep to setup proposed in this guide,
and make modifications only after you have tested the basic
setup.

4
My VPN Gateway Configuration
Throughout this guide, there are certain pieces of informa-
tion that are needed later on for configuring VPN Tracker. This
information is marked with red numbers to make it easier to
reference. You can print out this checklist to help keep track
of the various settings of your Cisco VPN gateway. Not all set-
tings are required for all setups, so don’t worry if some stay
empty.

IP Addresses

➊ Cisco WAN IP Address: . . .

or host name

➋ LAN Network: . . . / . . .

Authentication

➌ Pre-Shared Key:

➍ XAUTH Username:

➎ XAUTH Password:

5
Task 1 – Cisco Configuration Step 2 – Enable VPN on your Cisco
If you’re familiar with Ciscos and already have a working VPN ‣ Go to Security appliance > Client VPN.
setup on your Cisco, you can skip the Cisco setup and use ‣ Set ”Client VPN Server“ to.”Enabled”
Option A. If your Cisco is not yet set up, use Option B. Regard- ‣ Enter a “Client VPN subnet” and make a note of it as ➋
less which option you choose, this guide assumes that your ‣ Enter a “Secret” and make a note of it as ➌
Cisco has Internet access and that a LAN network is config- ‣ Click ”Save”
ured.

Step 1 – WAN IP or Host Name

‣ Connect to your Meraki’s web interface.
‣ Go to Security appliance > Appliance Status.
‣ Write down the Hostname or WAN address

Step 2 – LAN Network

‣ Go to Security appliance > Route table
‣ Write down the Local LAN as ➋ on your → Configuration Checklist.

Client VPN subnet: If you want to access your internal network

over VPN, enter that network range here, e.g. “192.168.12.0”
If your Cisco Meraki is reachable through a public host name,
write down that instead as ➊.

6
Step 3 – Add a VPN User
‣ Go to Security appliance > Client VPN
‣ Click „Add new user“
‣ Enter an Email address (username) ➍ and password ➎ for your user
‣ Select “Authorized > Yes”

7
Task 2 – VPN Tracker Configuration
From Task 1, your → Configuration Checklist will have all your
Cisco settings. We will now create a matching configuration
in VPN Tracker.

Step 1 – Add a Connection

‣ Open VPN Tracker.

‣ Click “Create a Connection” (or click the + button in the lower left
corner).
‣ Select “Cisco Meraki” from the list.
‣ Select your Cisco Meraki model (e.g. MX-Series).
‣ Click “Create”.

8
Step 2 – Configure the VPN Connection

‣ Click “Configure” and switch to the “Basic” tab

‣ VPN Gateway: Enter your Cisco’s public IP address or its host name ➊ from
your → Configuration Checklist.
‣ Network Configuration: Choose Host to Network
‣ Click “Done”

9
Task 3 – Test the VPN Connection
Connected!
It‘s time to go out!
Connecting may take a couple of seconds. If the On/Off button turns blue
You will not be able to test and use your VPN connection from within the that’s great – you’re connected!
Cisco’s network. In order to test your connection, you will need to connect
from a different location.

For example, if you are setting up a VPN connection to your office, try it
out at home. If you are setting up a VPN connection to your home net-
work, try it from an Internet cafe, or go visit a friend.
Connect to your VPN
‣ Make sure that your Internet connection is working – open your Internet
browser and check that you can open http://www.equinux.com
‣ Open VPN Tracker.
‣ Click the On/Off slider for your connection.
Now is a great time to take a look at the VPN Tracker Manual. It shows you
how to use your newly established VPN and how to get the most out of it.
VPN on – Internet off?
If your Internet connection seems to be offline whenever you connect the
VPN, your Cisco might be configured to send all your Internet traffic
through the VPN, but you’re probably missing the right remote DNS setup
to make it work. Please refer to the chapters about “Remote DNS” and
“Host to Everywhere” connections for information how to configure re-
mote DNS.

‣ If you are using VPN Tracker for the first time with your current Internet
connection, it will test your connection. Wait for the test to complete.

‣ Depending on your setup, you will be prompted to enter your pre-shared

key ➍ and Extended Authentication (XAUTH) user name ➎ and password
➏. Optionally, check the box “Store in Keychain” to save the password in
your keychain so you are not asked for it again when connecting the next
time.

10

Troubleshooting
In case there’s a problem connecting, a yellow warning triangle will show up:
Click the yellow warning triangle to be taken to the log. The log will explain
exactly what the problem is. Follow the steps listed in the log.
Press Cmd-L to open the log in a new window. That way, you
can have the log side-by-side with your VPN configuration while
making changes to troubleshoot a problem.
11
In most cases, the advice in the log should be sufficient to resolve the issue.
However, VPNs are a complex topic and there might be trickier issues with
which you need additional help.
VPN Tracker Manual
The VPN Tracker Manual contains detailed troubleshooting advice.
Frequently Asked Questions (FAQs)
Answers to frequently asked questions can be found at
http://www.vpntracker.com/support
Technical Support
If you’re stuck, the technical support team at equinux is here to help. Contact
us via
http://www.vpntracker.com/support
Please include the following information with any request for support:
‣ A description of the problem and any troubleshooting steps that you have
already taken.
‣ A VPN Tracker Technical Support Report (Log > Technical Support Report).
‣ Cisco Meraki model and the firmware version running on it.
‣ Screenshots of the Client VPN settings on your Cisco.
A Technical Support Report contains the settings and logs nec-
essary for resolving technical problems. Confidential information
(e.g. passwords, private keys for certificates) is not included in a
Technical Support Report.
Appendix
Remote DNS Setup
VPN Tracker can use DNS servers on the remote network of
the VPN to look up host names of resources on the remote
network of the VPN.
Prerequisites
If you or your organization operate a DNS server on your Cisco’s network, VPN
Tracker can use it to look up the host names of internal resources (e.g. for
turning intranet.ny.example.com into the IP address 192.168.13.94).
Remote DNS is entirely optional for Host to Network connections. You can
always use IP addresses instead of host names, that’s just less convenient.
DNS Server
To set up remote DNS, you need to know the IP address(es) of the DNS
server(s) that you want to use.
My DNS Server: . . .
Domain
VPN Tracker can use the remote DNS server for all DNS lookups (All Domains)
or just for some domains (Search Domains). If you want VPN Tracker to use the
remote DNS servers only for some domains (e.g. everything ending in “ny.ex-
ample.com”), write down these domains here:
Search Domains:
12
Option A – Setup in VPN Tracker
Remote DNS can be set up in VPN Tracker without making any changes to
your Cisco.
‣ Click “Configure” and go to the “Basic” tab in VPN Tracker.
‣ Check the box “Use Remote DNS Server”.
‣ Uncheck the box “Receive DNS Settings from VPN Gateway”.
‣ DNS Servers: Enter your DNS server. To enter additional DNS servers, press
the green plus button.
‣ Search Domains: Enter the domains that you want this DNS server to be
used for. Can be left empty to use the remote DNS server for all DNS
lookups.
‣ Use DNS Server for: Choose “Search Domains” to only use the DNS server
for the domains listed above. Choose “All Domains” to always use this DNS
server when the VPN is connected.
‣ Use for reverse lookup of IP addresses in remote networks: Should be
checked unless your DNS server is incapable of reverse lookups.
Requests to a remote DNS server do not necessarily go through
the VPN. Which traffic is sent through the VPN is determined
solely by the VPN’s remote network(s) and topology.
If the remote DNS server is located on the remote network(s) of
the VPN (or if a Host to Everywhere connection is used), re-
quests to the remote DNS server will go through the VPN.
Option B – Setup on the Cisco
You can have the Cisco distribute your DNS settings when using DHCP over
VPN.

‣ On your Cisco, go to “Security appliance > Client VPN”

‣ Under “DNS nameservers” choose “Specify nameservers”

‣ Enter your DNS server IP address(es)

Use these settings in VPN Tracker to receive your DNS settings from the Cisco:

13
Host to Everywhere
To send all Internet traffic through the VPN, you’ll need a
connection that uses a “Host to Everywhere” topology.

Switch to Host to Everywhere

VPN Tracker
In VPN Tracker , go to Basic > Network Configuration and switch the Topol-
ogy) to “Host to Everywhere”.

If you check the Status tab in VPN Tracker, it should now display “Internet” to
the right of your VPN gateway, instead of the remote network.

14