- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cisco Meraki Client VPN behind Nat Router
Hello,
I am trying to setup a client VPN behind nat router but it's not working. When I try to connect it I am getting the following error.
"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"
On the NAT router I forwarded ports 500 and 4500 to Meraki private IP address 172.16.16.3
Please let me know what I am doing wrong.
Thank you
Solved! Go to solution.
- Labels:
-
ACLs
-
Client VPN
-
Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Everyone,
I finally figured it out. The issue was on the ISP's side. After checking with their support and restarting the CPE device, the client VPN started working behind the NAT router.
Additionally, I had to execute the following command in cmd and restart my Windows 11 system.
After that, it started working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does this firewall auto assign its WAN IP if the external IP is left blank?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes the WAN is set to dhcp.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I remember the VPN Client does not work behind NAT on the MX, only the S2S VPN.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please see the following link to configure the MX-Z for Client VPN. If the MX-Z sits behind another NAT device or firewall, please make sure that the following UDP ports are forwarded/allowed to the MX-Z:
- UDP 500 (IKE)
- UDP 4500 (IPSec NAT-T)
Note: Since the MX is the device communicating from UDP 500/4500, those ports need to be forwarded on any devices upstream of the MX, not on the MX itself.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Yes I have forwarded these ports to Meraki but still it is not working.
Maybe I have to allow these ports on meraki firewall rules.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just sent it to confirm, but the truth is that I've never seen Client VPN work behind NAT on MX.
Please, if this post was useful, leave your kudos and mark it as solved.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using my client VPN wizard. It sets a registry entry which improves the reliability when working behind a NATed connection.
https://ifm.net.nz/cookbooks/meraki-client-vpn.html
# Create registry key to allow connections to an MX behind NAT (Error 809)
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -PropertyType DWORD -Force | Out-Null
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Everyone,
I finally figured it out. The issue was on the ISP's side. After checking with their support and restarting the CPE device, the client VPN started working behind the NAT router.
Additionally, I had to execute the following command in cmd and restart my Windows 11 system.
After that, it started working.
