Meraki

Community

CLient VPN

route_map
Building a reputation
‎Mar 19 2019 5:28 AM
‎Mar 19 2019 5:28 AM

CLient VPN

Hi Team

 

My Client VPN still doesnt work, i have following all instructions.

My ISP says they are not blocking the ports, but i still get the The L2TP connection attempt failed because the sec...

 

0 Kudos
4 Replies 4
BrechtSchamp
Kind of a big deal
‎Mar 19 2019 5:47 AM
‎Mar 19 2019 5:47 AM

Have you checked this:

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

 

What error comes up?

In response to BrechtSchamp
Ben
A model citizen
‎Mar 19 2019 7:18 AM
‎Mar 19 2019 7:18 AM

The most issues with the client VPN i have experienced are with devices behind NAT. Or just Windows being a pita (pain in the ass)

 

  • Client behind NAT devices
    Solution: Modern Windows devices do not support L2TP/IPsec connections when the Windows computer or VPN server are located behind a NAT. If the Windows VPN client fails with Error 809 when trying to establish a VPN connection to an MX located behind a NAT, add the "AssumeUDPEncapsulationContextOnSendRule" DWORD value to the Windows registry. This DWORD value allows Windows to establish security associations when both the VPN server and the Windows based VPN client computer are behind NAT devices.

     

    For Windows Vista, 7, 8, 10, and 2008 Server:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent 

    RegValue: AssumeUDPEncapsulationContextOnSendRule

    Type: DWORD

    Data Value: 2

If you configure the above delete the VPN, reboot and create the VPN again. 

 

Cheers,

Ben

 

ps: the above is one of the solutions in the link @BrechtSchamp  posted. But the one above is the most frequent i have encountered.

0 Kudos
In response to BrechtSchamp
MerakiDave
Meraki Employee
Meraki Employee
‎Mar 19 2019 7:18 AM
‎Mar 19 2019 7:18 AM

Also have you allowed inbound UDP/500 and 4500?  Run a packet capture on the MX Internet-facing port when you attempt to initiate the client VPN, just to confirm you see the initial IKE traffic as a starting point.

0 Kudos
RogerGill
New here
‎Mar 24 2019 5:59 AM
‎Mar 24 2019 5:59 AM

Hey route_map! I suggest use VeePN. VeePn is a fantastic VPN that boasts over 1,100 servers in more than 60 countries, 24/7 customer service and a whopping 10 simultaneous connections available at any time.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.