---

@Nash wrote:

What OS is running on the endpoint device that's connecting in over the client VPN? Win7, Win10, MacOS...?

 

Where are you starting this traceroute? From inside the network? What happens when you traceroute from the endpoint?

 

Can you look at the routing table on that end point? In Windows, open PowerShell or CMD and run "route print". On a Mac, I think you open terminal and run "netstat -nr" but don't quote me.

 

Do you see routes for the subnets you're trying to connect to? If not, you either need to setup the connection as a full tunnel or add routes for those subnets that point out through the VPN connection.

 

That's cake in Win10. In Powershell: add-vpnconnectionroute -connectionname "Your Saved VPN" -destinationprefix "192.168.0.0/24" 

---

@Nash 
It's Win10.

I'm starting traceroute on my Win10 laptop that is connected to the MX via client VPN. Traceroute hits the MX public IP and then goes out to the Internet.

I can't see routes to subnets I'm trying to connect to in my routing table (route print). I can only see route to the MX public IP and route to 0.0.0.0 via my VPN interface.

My laptop IP is 192.168.1.105 and my VPN interface IP is 192.168.205.8

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.105 4250
0.0.0.0 0.0.0.0 On-link 192.168.205.8 26
85.x.x.x 255.255.255.255 192.168.1.1 192.168.1.105 4251

I can add routes to my routing table but shouldn't it work without any manual intervention?

---

@PhilipDAth wrote:

Is the MX68 the default route for the VLAN?

 

Can you ping the MX68 VLAN IP address from the client VPN?

 

A really common problem is Windows Firewall set to block connections from outside of the current subnet.  You could try disabling Windows Firewall on a test machine on the VLAN concerned.

---

@PhilipDAth 
Yes, the MX is default GW for the VLAN.

The VLAN is 172.18.3.0/24, MX IP: 172.18.3.1

I can't ping 172.18.3.1 and when I do traceroute, I can see traffic going out to the Internet. I've disabled Windows FW to no avail.

85.x.x.x is the MX public IP, 46.x.x.x must be next hop.

Tracing route to 172.18.3.1 over a maximum of 30 hops

1 * * * Request timed out.
2 19 ms 20 ms 19 ms 85.x.x.x
3 25 ms 24 ms 25 ms 46.x.x.x
4 25 ms 24 ms 25 ms 46.x.x.x
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 46.x.x.x reports: Destination net unreachable.

You need routes if you've got it set to act like a split tunnel. Otherwise it doesn't know what the interesting traffic is.

Try tearing out the saved VPN connection and create the new connection. If you don't want to PowerShell, follow https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration but set Encryption to Optional. Win10 doesn't actually support required encryption for PAP.

To use PowerShell: Use PowerShell ISE. Update these variables to match your info.

$ConnectionName = 'VPN name'
$ServerAddress = 'pretend.host.com'
$PresharedKey = 'fake PSK'

Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional

---

@Nash wrote:

You need routes if you've got it set to act like a split tunnel. Otherwise it doesn't know what the interesting traffic is.

 

Try tearing out the saved VPN connection and create the new connection. If you don't want to PowerShell, follow https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration but set Encryption to Optional. Win10 doesn't actually support required encryption for PAP.

 

To use PowerShell: Use PowerShell ISE. Update these variables to match your info.

 

$ConnectionName = 'VPN name'
$ServerAddress = 'pretend.host.com'
$PresharedKey = 'fake PSK'

Add-VpnConnection -Name $ConnectionName -ServerAddress $ServerAddress -AllUserConnection -TunnelType L2tp -L2tpPsk $PresharedKey -AuthenticationMethod Pap -EncryptionLevel Optional

---

Thanks @Nash I have to configure VPN into another MX so I'll try your script.

Thank you @Nash, this works perfectly although I've changed encryption level to require. I have no idea why my VPN connections added manually didn't work but they do work when created via the script.

Anyway, it's working now so thank you again for your help!

Do be aware that if you change to require, it's going to change your password protocol on you at some point. Windows 10 doesn't really support required encryption when using the PAP protocol.

This can cause the VPN connection to "break" with no warning, especially after running updates.

OK, thanks, I'll keep that in mind. I don't want my VPN traffic to be sent unencrypted.

Your VPN traffic won't be sent unencrypted. It'll be encapsulated within the IPSEC tunnel. Setting encryption to optional has to do with how the user name/password is transmitted. Win10 does not support -Encryption Required for PAP or CHAP.

So it assumes that -Encryption Required is correct, and will eventually change your password protocol to EAP and MS-CHAPv2. Then you get tickets about "broken" VPN connections.

When you created the account with PowerShell using -Encryption Required, you should have seen an error like this:

 Add-VpnConnection -name Testbob -ServerAddress testbob.com -TunnelType L2tp -EncryptionLevel Required -L2tpPsk testbob -AuthenticationMethod pap
Add-VpnConnection :  The current encryption selection requires EAP or MS-CHAPv2 logon security methods. PAP and CHAP
do not support Encryption settings 'Required' or 'Maximum'. : The parameter is incorrect.
At line:1 char:1
+ Add-VpnConnection -name Testbob -ServerAddress testbob.com -TunnelTyp ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (AuthenticationMethod:root/Microsoft/...S_VpnConnection) [Add-VpnConnec
   tion], CimException
    + FullyQualifiedErrorId : WIN32 87,Add-VpnConnection