CLient VPN

route_map
Building a reputation

CLient VPN

Hi Team

 

My Client VPN still doesnt work, i have following all instructions.

My ISP says they are not blocking the ports, but i still get the The L2TP connection attempt failed because the sec...

 

4 REPLIES 4
BrechtSchamp
Kind of a big deal

The most issues with the client VPN i have experienced are with devices behind NAT. Or just Windows being a pita (pain in the ass)

 

  • Client behind NAT devices
    Solution: Modern Windows devices do not support L2TP/IPsec connections when the Windows computer or VPN server are located behind a NAT. If the Windows VPN client fails with Error 809 when trying to establish a VPN connection to an MX located behind a NAT, add the "AssumeUDPEncapsulationContextOnSendRule" DWORD value to the Windows registry. This DWORD value allows Windows to establish security associations when both the VPN server and the Windows based VPN client computer are behind NAT devices.

     

    For Windows Vista, 7, 8, 10, and 2008 Server:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 

    RegValue: AssumeUDPEncapsulationContextOnSendRule

    Type: DWORD

    Data Value: 2

If you configure the above delete the VPN, reboot and create the VPN again. 

 

Cheers,

Ben

 

ps: the above is one of the solutions in the link @BrechtSchamp  posted. But the one above is the most frequent i have encountered.

Also have you allowed inbound UDP/500 and 4500?  Run a packet capture on the MX Internet-facing port when you attempt to initiate the client VPN, just to confirm you see the initial IKE traffic as a starting point.

RogerGill
New here

Hey route_map! I suggest use VeePN. VeePn is a fantastic VPN that boasts over 1,100 servers in more than 60 countries, 24/7 customer service and a whopping 10 simultaneous connections available at any time.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels