Client VPN - can't get to hosts on VLANs connected to the MX

SOLVED
Kristof
Here to help

Client VPN - can't get to hosts on VLANs connected to the MX

I'm having issues with client VPN on MX68. I can connect to the VPN over Internet but I can't get to any host on any VLAN connected to the same MX. When I trace route to one of the VLANs, I can see that traffic is going out of MX to the Internet.

 

"Use default gateway on remote host" box is checked.

 

Anything I need to do before I can connect to VLANs?

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

Oh shoot, I left -AllUserConnection in there. You probably don't need that. Try this code block:

 

$ConnectionName = 'VPN name'
$ServerAddress = 'pretend.host.com'
$PresharedKey = 'fake PSK'

Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional

 

This script chunk will create a full tunnel, so you won't need routes. It sends all your traffic to the MX.

 

If that works to allow you to send traffic to MX subnets, then you can change to splint tunnel:

 

Set-VpnConnection -Name $ConnectionName -SplitTunneling 
$Destination = '172.18.3.0/24'
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination

View solution in original post

11 REPLIES 11
Nash
Kind of a big deal

What OS is running on the endpoint device that's connecting in over the client VPN? Win7, Win10, MacOS...?

 

Where are you starting this traceroute? From inside the network? What happens when you traceroute from the endpoint?

 

Can you look at the routing table on that end point? In Windows, open PowerShell or CMD and run "route print". On a Mac, I think you open terminal and run "netstat -nr" but don't quote me.

 

Do you see routes for the subnets you're trying to connect to? If not, you either need to setup the connection as a full tunnel or add routes for those subnets that point out through the VPN connection.

 

That's cake in Win10. In Powershell: add-vpnconnectionroute -connectionname "Your Saved VPN" -destinationprefix "192.168.0.0/24" 


@Nash wrote:

What OS is running on the endpoint device that's connecting in over the client VPN? Win7, Win10, MacOS...?

 

Where are you starting this traceroute? From inside the network? What happens when you traceroute from the endpoint?

 

Can you look at the routing table on that end point? In Windows, open PowerShell or CMD and run "route print". On a Mac, I think you open terminal and run "netstat -nr" but don't quote me.

 

Do you see routes for the subnets you're trying to connect to? If not, you either need to setup the connection as a full tunnel or add routes for those subnets that point out through the VPN connection.

 

That's cake in Win10. In Powershell: add-vpnconnectionroute -connectionname "Your Saved VPN" -destinationprefix "192.168.0.0/24" 


 

@Nash 
It's Win10.

 

I'm starting traceroute on my Win10 laptop that is connected to the MX via client VPN. Traceroute hits the MX public IP and then goes out to the Internet.

 

I can't see routes to subnets I'm trying to connect to in my routing table (route print). I can only see route to the MX public IP and route to 0.0.0.0 via my VPN interface.

 

My laptop IP is 192.168.1.105 and my VPN interface IP is 192.168.205.8

 

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.105 4250
0.0.0.0 0.0.0.0 On-link 192.168.205.8 26
85.x.x.x 255.255.255.255 192.168.1.1 192.168.1.105 4251

 

I can add routes to my routing table but shouldn't it work without any manual intervention?

 

 

PhilipDAth
Kind of a big deal
Kind of a big deal

Is the MX68 the default route for the VLAN?

 

Can you ping the MX68 VLAN IP address from the client VPN?

 

A really common problem is Windows Firewall set to block connections from outside of the current subnet.  You could try disabling Windows Firewall on a test machine on the VLAN concerned.


@PhilipDAth wrote:

Is the MX68 the default route for the VLAN?

 

Can you ping the MX68 VLAN IP address from the client VPN?

 

A really common problem is Windows Firewall set to block connections from outside of the current subnet.  You could try disabling Windows Firewall on a test machine on the VLAN concerned.


@PhilipDAth 
Yes, the MX is default GW for the VLAN.

 

The VLAN is 172.18.3.0/24, MX IP: 172.18.3.1

 

I can't ping 172.18.3.1 and when I do traceroute, I can see traffic going out to the Internet. I've disabled Windows FW to no avail.

 

85.x.x.x is the MX public IP, 46.x.x.x must be next hop.

 

Tracing route to 172.18.3.1 over a maximum of 30 hops

1 * * * Request timed out.
2 19 ms 20 ms 19 ms 85.x.x.x
3 25 ms 24 ms 25 ms 46.x.x.x
4 25 ms 24 ms 25 ms 46.x.x.x
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 46.x.x.x reports: Destination net unreachable.

Nash
Kind of a big deal

You need routes if you've got it set to act like a split tunnel. Otherwise it doesn't know what the interesting traffic is.

 

Try tearing out the saved VPN connection and create the new connection. If you don't want to PowerShell, follow https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration but set Encryption to Optional. Win10 doesn't actually support required encryption for PAP.

 

To use PowerShell: Use PowerShell ISE. Update these variables to match your info.

 

$ConnectionName = 'VPN name'
$ServerAddress = 'pretend.host.com'
$PresharedKey = 'fake PSK'

Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional


@Nash wrote:

You need routes if you've got it set to act like a split tunnel. Otherwise it doesn't know what the interesting traffic is.

 

Try tearing out the saved VPN connection and create the new connection. If you don't want to PowerShell, follow https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration but set Encryption to Optional. Win10 doesn't actually support required encryption for PAP.

 

To use PowerShell: Use PowerShell ISE. Update these variables to match your info.

 

$ConnectionName = 'VPN name'
$ServerAddress = 'pretend.host.com'
$PresharedKey = 'fake PSK'

Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional

Thanks @Nash I have to configure VPN into another MX so I'll try your script.

Nash
Kind of a big deal

Oh shoot, I left -AllUserConnection in there. You probably don't need that. Try this code block:

 

$ConnectionName = 'VPN name'
$ServerAddress = 'pretend.host.com'
$PresharedKey = 'fake PSK'

Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional

 

This script chunk will create a full tunnel, so you won't need routes. It sends all your traffic to the MX.

 

If that works to allow you to send traffic to MX subnets, then you can change to splint tunnel:

 

Set-VpnConnection -Name $ConnectionName -SplitTunneling 
$Destination = '172.18.3.0/24'
Add-Vpnconnectionroute -Connectionname $ConnectionName -AllUserConnection -DestinationPrefix $Destination

Thank you @Nash, this works perfectly although I've changed encryption level to require. I have no idea why my VPN connections added manually didn't work but they do work when created via the script.

Anyway, it's working now so thank you again for your help!

Nash
Kind of a big deal

Do be aware that if you change to require, it's going to change your password protocol on you at some point. Windows 10 doesn't really support required encryption when using the PAP protocol.

 

This can cause the VPN connection to "break" with no warning, especially after running updates.

OK, thanks, I'll keep that in mind. I don't want my VPN traffic to be sent unencrypted.

Nash
Kind of a big deal

Your VPN traffic won't be sent unencrypted. It'll be encapsulated within the IPSEC tunnel. Setting encryption to optional has to do with how the user name/password is transmitted. Win10 does not support -Encryption Required for PAP or CHAP.

 

So it assumes that -Encryption Required is correct, and will eventually change your password protocol to EAP and MS-CHAPv2. Then you get tickets about "broken" VPN connections.

 

When you created the account with PowerShell using -Encryption Required, you should have seen an error like this:

 

 Add-VpnConnection -name Testbob -ServerAddress testbob.com -TunnelType L2tp -EncryptionLevel Required -L2tpPsk testbob -AuthenticationMethod pap
Add-VpnConnection :  The current encryption selection requires EAP or MS-CHAPv2 logon security methods. PAP and CHAP
do not support Encryption settings 'Required' or 'Maximum'. : The parameter is incorrect.
At line:1 char:1
+ Add-VpnConnection -name Testbob -ServerAddress testbob.com -TunnelTyp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (AuthenticationMethod:root/Microsoft/...S_VpnConnection) [Add-VpnConnec
   tion], CimException
    + FullyQualifiedErrorId : WIN32 87,Add-VpnConnection
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels