Can't get Client VPN working on GX50HW-US

GC1
Here to help

Can't get Client VPN working on GX50HW-US

I have a GX50HW-US and have tried a number of times to get the VPN working. While I've read the "Troubleshooting Client VPN" it doesn't seem to relate to the GX50HW-US, just the MX.

 

My GX50HW is not behind a firewall and my iOS app is up to date. Does anyone have step by step instructions (and perhaps any additional tips) for setting up the GX50HW?

 

I contacted support about a year ago and after back and forth with them ("Please send a screenshot of the version of your app" wait 3 days for a response, then "are you behind a firewall?" wait 3 days etc, I finally gave up).

7 Replies 7
BrandonS
Kind of a big deal

It sounds like you were referring to the wrong doc if it mentioned MX. this is the correct one https://documentation.meraki.com/Go/Meraki_Go_-_Client_VPN_Setup

- Ex community all-star (⌐⊙_⊙)

Thanks for the link. In the instructions, there are two items that are not addressed: what if anything needs to be done with the Subnet - it's filled in with some numbers, but no clue if those need to be changed and if so to what?

 

Also, the DNS provider is not discussed - on my Windows computer, going to “Settings.” | “Network & internet.” then “Properties”. I see my DNS server is 192.168.1.1 which happens to be the address of the GX50HW. So I (and I assume many other users) should select "Custom" and enter that IP rather than Google or Open DNS? Also, in selecting Custom DNS, there are fields for two IPs - should the same info be entered into both fields? When I tried entering then saving both IPs as the same or different IPs, I get an error " Each element in 'addresses' must be a valid IP address formatted string."

Xydocq
A model citizen

hello @GC1

 

What Subnet are you talking about? A screenshot would be helpful.

 

The thing with DNS. Every device, that is capable of connecting to the internet has DNS build in and can act as a DNS server.

 

From my understanding: Meraki Go's DNS server is picked by the GX-device when you activate a security license. Since it is DNS based blocking.

 

If you set the connection type to DHCP on the WAN-port, the GX-device will pick the DNS servers of your ISP. If you set it to Static IP, you can enter any DNS server you want.

 

For LAN, the GX device will allow you to set a specific DNS server to be used by devices connecting to any VLAN.

 

If you choose Upstream DNS it will be the IP of the GX-device that will be forwarded to the clients on the VLAN. So the GX will act as server, the GX will ask the server specified in the WAN settings, if it isn't able to answer the request by itself.

 

I use Custom DNS.

 

dns.png

 

The IP 10.10.2.2 points to my private DNS-server. While every DNS server on the world points to my public IP when I want to access my own site. I needed a DNS that will point to a local IP, when I want to access my site from my LAN. I have one public IP and loopback doesn't work. Hairpinning isn't available on the GX so it was the only way to make it work.

 

The Secondary DNS Server is my GX.

 

A valid IP address is xxx.xxx.xxx.xxx (the x stands for a number).

 

If you don't believe, what I said about every device can be a DNS server is true. On a Windows PC you have a file called hosts. That's kinda the way to tell your computer A-records of websites. The hosts-file is always the first thing, a Windows PC tries to find a DNS record in. If nothing can be found there, it will ask the next known DNS server.

If you want to block google.com on your Windows PC, all you have to do, is adding this line to the hosts-file: google.com 127.00.1

 

 

 

 

GC1
Here to help

Hi Xydocq - thanks for all the information. I'm glad you sent a screen shot, as my UI on both the iPhone and browser don't match what you have. Selecting a DNS Provider is a popup - not the selections that you have.gx50.jpg Not sure why your GX50 would have a different interface than mine - I have the latest version of the app installed on my iPhone. Frustrating.

Xydocq
A model citizen

hi @GC1 

 

The explanation is easy, I don't owe a GX50. My screenshot was from a VLAN on my GX20.

 

But your screenshot helped a lot to understand your problem.

 

In general there are two types of VPN connections 1st is site-2-site and the 2nd is client-2-server.

 

From your screenshot, I assume you try to set up a client-2-server connection.

 

Here are the few things I would do first:

Please keep in mind it doesn't have to be like that for you

1. check your local VLANs

-> Default VLAN 1  192.168.1.0/24

-> MyNetwork VLAN 10 192.168.10.0/24

-> Guests VLAN 100 192.168.100.0/26

 

2. You don't want to set the same Subnet for your client VPN as shown on the local page. I would chose 192.168.11.0.

Depending on how many connections you plan to allow limit the subnet: /24 will give you 253 addresses, /26 only 61 and /29 only 5 possible addresses.

 

3. DNS Provider can be Google or any other. In my understanding it is not relevant for the VPN connection.

 

4. Where is the VPN server located, is it behind a firewall or is it directly connected to the internet.

If it is directly connected all ports are open to the internet. They are "open" or better said listening. If a legit request is sent to a port it will be accepted, otherwise it will be dropped.

If it sits behind a firewall, you'll have to forward port UDP 500, UDP 1701 and UDP 4500 to the GX50.

 

5. Add the User or Users you want to allow to access over VPN.

There's some reporting the User has to be an Admin to make it work.

8 characters for a shared secret is a joke imho. Make it at least 20+chracters long, use numbers, upper- and lowercase letters and punctuation, make it as complicated as you can. 

 

6. By now your server should be ready to accept VPN connections.

 

7. Device setup:

If you want to connect with a newer Android Phone or tablet, you're out of luck. Android requiers L2TP/IPSEC IKEv2. The GX50 supports only IKEv1.

 

But for anything else you can follow the instructions given by Meraki Go.

Well almost... they didn't tell you, you have to edit your Registry on any Windos PC to make it work, google AssumeUDPEncapsulationContextOnSendRule, I won't go into details here, but you'll find lots of help on the google-search.

 

8. L3 Firewall Rules

I am not 100% sure about this, but you might have to add a rule that will allow connections from client VPN 192.168.11.0 to "MyNetwork" 192.168.10.0 .

 

After doing all this, you should be able to connect. If not please come back, I'll try to help.

GC1
Here to help

Thanks again for all this information and the time you took putting it together. I'm troubled by the suggestion that I would need to edit my registry to get this to work. While I've done that many times in the past, I can't imagine that this would be necessary for a device that's targeted to small business owners with "Simple, guided setup in less than 5 minutes" and "Easily customize settings for your business."

I've requested ArtMarshall from Meraki to jump in here and provide some answers.

TonyNg
Meraki Employee
Meraki Employee

Hello GC1,

 

A few questions to get a better understanding of the issue. 

 

  • Is your GX50 getting a public IP address on its WAN interface or a private IP address?
    • Hardware > GX50 > IP address
  • Is the remote client getting an error when attempting to connect to the client VPN?
    • If it's a Windows device, can you provide the error code generated in the Windows Event viewer of the connection event?
      • On the affected device, press the Windows key and type Event Viewer.
      • From the search results, click on Event Viewer.
      • In Event Viewer, navigate to Windows Logs > Application.
      • Search the Error events for the connection failure.
      • Click the event to review the associated error code and details.

 

For clarification, the DNS configuration is used to resolve DNS queries when connected to the client VPN. If you know the DNS server addresses (two different public IP addresses) of the DNS servers you are planning on using, you can enter them using the Custom DNS provider option. Otherwise, we recommend using Google DNS by default. 

 

Additionally, the subnet field needs to be entered with a different subnet from the subnets you are using on the local networks (different from the networks listed in the Networks tab of your Meraki app). 

 

Lastly, you can only connect to the client VPN from a remote network. If you try to connect to the client VPN while on the same network as the GX50, then this will cause errors as client VPN connections are meant to be connected remotely. 

 

Best Regards,
.ılı.ılı. Tony
Meraki GO Technical Support

Get notified when there are additional replies to this discussion.