Meraki

Community

Cisco Meraki Client VPN behind Nat Router

hamidsattar
Comes here often
yesterday
yesterday

Cisco Meraki Client VPN behind Nat Router

Hello,

 

I am trying to setup a client VPN behind nat router but it's not working. When I try to connect it I am getting the following error.

 

"The L2TP connection attempt failed because the security layer encountered a processing error during initial  negotiations with the remote computer"

 

On the NAT router I forwarded ports 500 and 4500 to Meraki private IP address 172.16.16.3

 

hamidsattar_0-1736245370652.png

 

Please let me know what I am doing wrong.

 

Thank you

 

Labels:
0 Kudos
7 Replies 7
TyShawn
Head in the Cloud
yesterday
yesterday

Does this firewall auto assign its WAN IP if the external IP is left blank?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to TyShawn
hamidsattar
Comes here often
yesterday
yesterday

Hi,

 

Yes the WAN is set to dhcp. 

 

hamidsattar_0-1736250215385.png

 

0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

As far as I remember the VPN Client does not work behind NAT on the MX, only the S2S VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Please see the following link to configure the MX-Z for Client VPN. If the MX-Z sits behind another NAT device or firewall, please make sure that the following UDP ports are forwarded/allowed to the MX-Z:

  • UDP 500 (IKE) 
  • UDP 4500 (IPSec NAT-T)

Note: Since the MX is the device communicating from UDP 500/4500, those ports need to be forwarded on any devices upstream of the MX, not on the MX itself.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
hamidsattar
Comes here often
yesterday
yesterday

Hi,

 

Yes I have forwarded these ports to Meraki but still it is not working.

 

Maybe I have to allow these ports on meraki firewall rules.

0 Kudos
In response to hamidsattar
alemabrahao
Kind of a big deal
Kind of a big deal
yesterday
yesterday

I just sent it to confirm, but the truth is that I've never seen Client VPN work behind NAT on MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Try using my client VPN wizard.  It sets a registry entry which improves the reliability when working behind a NATed connection.

https://ifm.net.nz/cookbooks/meraki-client-vpn.html

 

 

# Create registry key to allow connections to an MX behind NAT (Error 809)
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -PropertyType DWORD -Force | Out-Null

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2025 Cisco Systems, Inc.