Meraki

Community

Cisco Meraki Client VPN behind Nat Router

Solved
hamidsattar
Here to help
‎Jan 7 2025 2:23 AM
‎Jan 7 2025 2:23 AM

Cisco Meraki Client VPN behind Nat Router

Hello,

 

I am trying to setup a client VPN behind nat router but it's not working. When I try to connect it I am getting the following error.

 

"The L2TP connection attempt failed because the security layer encountered a processing error during initial  negotiations with the remote computer"

 

On the NAT router I forwarded ports 500 and 4500 to Meraki private IP address 172.16.16.3

 

hamidsattar_0-1736245370652.png

 

Please let me know what I am doing wrong.

 

Thank you

 

Labels:
0 Kudos
1 Accepted Solution
hamidsattar
Here to help
‎Feb 18 2025 9:45 AM
‎Feb 18 2025 9:45 AM

Hello Everyone,

 

I finally figured it out. The issue was on the ISP's side. After checking with their support and restarting the CPE device, the client VPN started working behind the NAT router.

 

Additionally, I had to execute the following command in cmd and restart my Windows 11 system.

hamidsattar_0-1739900733439.png

 

 

After that, it started working.

View solution in original post

0 Kudos
8 Replies 8
TyShawn
Head in the Cloud
‎Jan 7 2025 3:11 AM
‎Jan 7 2025 3:11 AM

Does this firewall auto assign its WAN IP if the external IP is left blank?

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to TyShawn
hamidsattar
Here to help
‎Jan 7 2025 3:44 AM
‎Jan 7 2025 3:44 AM

Hi,

 

Yes the WAN is set to dhcp. 

 

hamidsattar_0-1736250215385.png

 

0 Kudos
alemabrahao
Kind of a big deal
‎Jan 7 2025 4:21 AM
‎Jan 7 2025 4:21 AM

As far as I remember the VPN Client does not work behind NAT on the MX, only the S2S VPN.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
alemabrahao
Kind of a big deal
‎Jan 7 2025 6:48 AM
‎Jan 7 2025 6:48 AM

Please see the following link to configure the MX-Z for Client VPN. If the MX-Z sits behind another NAT device or firewall, please make sure that the following UDP ports are forwarded/allowed to the MX-Z:

  • UDP 500 (IKE) 
  • UDP 4500 (IPSec NAT-T)

Note: Since the MX is the device communicating from UDP 500/4500, those ports need to be forwarded on any devices upstream of the MX, not on the MX itself.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
hamidsattar
Here to help
‎Jan 7 2025 6:53 AM
‎Jan 7 2025 6:53 AM

Hi,

 

Yes I have forwarded these ports to Meraki but still it is not working.

 

Maybe I have to allow these ports on meraki firewall rules.

0 Kudos
In response to hamidsattar
alemabrahao
Kind of a big deal
‎Jan 7 2025 6:58 AM
‎Jan 7 2025 6:58 AM

I just sent it to confirm, but the truth is that I've never seen Client VPN work behind NAT on MX.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 7 2025 1:09 PM
‎Jan 7 2025 1:09 PM

Try using my client VPN wizard.  It sets a registry entry which improves the reliability when working behind a NATed connection.

https://ifm.net.nz/cookbooks/meraki-client-vpn.html

 

 

# Create registry key to allow connections to an MX behind NAT (Error 809)
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent -Name AssumeUDPEncapsulationContextOnSendRule -Value 2 -PropertyType DWORD -Force | Out-Null

 

hamidsattar
Here to help
‎Feb 18 2025 9:45 AM
‎Feb 18 2025 9:45 AM

Hello Everyone,

 

I finally figured it out. The issue was on the ISP's side. After checking with their support and restarting the CPE device, the client VPN started working behind the NAT router.

 

Additionally, I had to execute the following command in cmd and restart my Windows 11 system.

hamidsattar_0-1739900733439.png

 

 

After that, it started working.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.