Guidance needed for Client VPN set up ( MX64 behind Netgear router)

DZ-POWER
Here to help

Guidance needed for Client VPN set up ( MX64 behind Netgear router)

I have been trying to  set  up a vpn and going on crazy for the last 48 hrs. spent lots of time in google and can't get the VPN to work ( tested on Phone and Macbook and laptop)

I have a C3700-100NAS Cable Modem router that is connected to the MX64 and I have a Switch ( MS120-8LP) Wireless  AP .

The Router is connected to my ISP Cable coax and  i have an ethernet cable to goes from the router into the MX64 Internet port.

LAN 1 on the MX64 goes directly into the Switch on port 1 

The AP is connected to port 2 on the switch and i have other device connected to the ports ( PS4, IPTV, Docking station, etc)

The router is in Route mode when i check the setting under advanced ( i can connect to the router by entering the IP into the browser or connection an ethernet cable into the router port ( it has 2 port )

I have tried to set up the VPN from Security & SD-WAN and no luck getting my phone  ( connected on LTE) or laptop  ( connected on a hotspot) .

I can't see any tracking under event logs

 

 

 

WAN 1

xx.xx.xx.xx  Active  ( it's an ISP IP address)

 

 

hostname : xxxxx-xxxxx-xxxx-xxxxx-xxxxxx.dynamic-m.com

 

subnet :  192.168.1.0/24  ( I type that in the field)  and i tried to create in the  addressing and VLANS and i get 

 

There were errors in saving this configuration:

  • Vlan subnets cannot overlap with the client VPN subnet.

 

DNS  : use google

 

WINS Server : no wins server

 

Shared secret : ( i type a simple password)

 

authentication : meraki cloud 

 

 

 

 

23 Replies 23
Bruce
Kind of a big deal

The subnet that you create under Security & SD-WAN -> Client VPN must be different to the other subnets that you have created on the MX. The client will be given an IP address from this subnet, and the MX will handle the routing from that assigned IP address to the other subnets on the MX.

DZ-POWER
Here to help

I'm going crazy on 48 hrs trying to set up vpn

what is the simplest way to do it ?

what subnet need to used under the vpn creation. i tried to put in the one from when i do ipconfig and it would not take it 

been trying for 48hrs and going crazy. 

 

 

Bruce
Kind of a big deal

Whatever you want.... say 172.16.1.0/24 if you're not using that anywhere else.

DZ-POWER
Here to help

i tried    172.16.1.0/24 that and got the error message   

Settings could not be saved. Please verify that your connection is working and try again.

my ip under ipconfig are 12.168.128xxx

i do not see any 172 ip range

Bruce
Kind of a big deal

Sorry, I thought you got the error when you were creating the Client VPN. If you were able to put 192.168.1.0/24 into the Client VPN configuration on the Meraki Dashboard then that is fine. You don't need to create this VLAN/subnet on the MX.

 

When you have the VPN client on your Windows machine working you will see both the 12.168.128.xxx address, and you'll also see the address of the VPN/L2TP adapter, which will be in the 192.168.1.0/24 range that you added under client VPN in the Meraki Dashboard. If you're not getting the 192.168.1.0/24 address then your client VPN isn't connecting for some reason. Have a look in the MX event log and see if there are any messages there.

DZ-POWER
Here to help

sorry my  ip  192.168.128.1 ( MX 64)

the router ip is  192.168.0.1  ( Gateway)

WAN IPV4  192.168.0.24

i'm really struggling . please help me 

 

in the meraki the LAN setting is single LAN

subnet 192.168.128.0/24

 

when i want create the client VPN and under subnet it list an example as  192.168.1.0/24   ( do i need to use that ??) 

 

What subned for a client VPN i need to put in ?

Bruce
Kind of a big deal

You don't need to use 192.168.1.0/24, but you can.

 

As you are behind the NetGear router, and appear to have a Private IP address on the WAN port of the MX64, you will need to ensure that the NetGear is forwarding ports UDP500 and UDP4500 (for IKE and IPSec NAT-T) to the IP address on the WAN port of the MX64.

 

Have a look through this document too, it may provide some assistance, https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

 

DZ-POWER
Here to help

that is the problem i'm having and cant figure out

can you tell me what ip i need to put in the port forward

does it goes from 192.168.0.24  ( router) to  192.168.128.1 (MX64)   ( UDP 500 and 4500) 

 

VPN-PPTP
Service Type
TCP
External Starting Port
500
(1~65535)
External Ending Port
500
(1~65535)
Use the same port range for Internal port
Internal Starting Port
500
(1~65535)
Internal Ending Port
500
Internal IP address ??

External IP Address ??

 

 

 

BrandonS
Kind of a big deal

I read this bit and wondered if you are connecting from an ipv6 only host. 

“..no luck getting my phone  ( connected on LTE) or laptop  ( connected on a hotspot)..”

 

I pulled my hair out for a while before discovering I could never connect to Meraki from T-Mobile because Meraki doesn’t support ipv6 for client VPN. 

- Ex community all-star (⌐⊙_⊙)
DZ-POWER
Here to help

Hi

 

i just want to be able to connect via RDP when i travel

how can i set up the port forwarding in my netgear i'm really struggling 

 

what is the Internal IP and  external ip  i need to use as forwarding ??

 

router IP is 192.168.0.1

 

MX64 IP  is 192.168.128.1 

 

if i put  the router ip address or the mx64  in the browser i get the same page result ( see below)

 

do i need to route from Router to MX64   ( route from 192.168.0.24  to  mx ip address)

i thing the solution to my problem is the router port forwarding for 500 and 4500 and  struggling to get it done

 

Your client connection
Client IP 192.168.128.28
Client MAC
Speed test
Run a browser-based speed test to check your connection to this security appliance.
Run speed test
Security Appliance details
Network name
Hardware address
Product model MX64
Ethernet
This security appliance is directly connected to a local network.
IP address: 192.168.0.24
Internet
This security appliance is connected to the Internet.
Cisco Meraki cloud
This security appliance is successfully connected to the Cisco Meraki cloud.

 

Bruce
Kind of a big deal

The port forwarding needs to be configured on the Netgear Cable Modem, have a look at the Add a Custom Port Forwarding Service in the user manual, https://www.downloads.netgear.com/files/GDC/C3700/C3700_All_MSOs_UM_EN.pdf#page85.

 

You won’t need to configure a source (or external) address (as that’s the address the modem gets from your cable provider), you’ll need to configure the destination (or internal) address as the address of the WAN port on the MX64 (i.e. 192.168.0.24). You’ll need to configure one port forward for UDP500 and another for UDP4500.

DZ-POWER
Here to help

I tried it and it mess up some of my application

for example i used ABS-B for plane spotting and it was not working so i had to stop the port forwarding and it went back to normal

.why is port forwarding messing up the other applications?

is it affecting all the ports?

below is exactly what i did 

does it look right 

i'm confused about the  Use the same port range for Internal port

DZ-POWER_0-1615910785007.png

 

Bruce
Kind of a big deal

Port forward shouldn’t mess up other applications unless they’re using the same port, which for UDP 500 and 4500 they shouldn’t unless they’re establishing a VPN - they’re well known ports.

 

What you have looks about right, but you can probably get away with only UDP, rather than TCP/UDP if it’s an option. You only need the single ports, no ranges, and you could use the ‘same port for internal range option’.

DZ-POWER
Here to help

still can't get it to work

 

Mar 16 20:18:56 Non-Meraki / Client VPN negotiationmsg: purged IPsec-SA proto_id=ESP spi=1485482832.
Mar 16 20:18:56 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 192.168.0.24[4500]->73.61.19.6[4500] spi=38369682(0x2497992)
Mar 16 20:18:56 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 192.168.0.24[4500]->73.61.19.6[4500] spi=128748962(0x7ac8da2)
Mar 16 20:18:52 Non-Meraki / Client VPN negotiationmsg: purged IPsec-SA proto_id=ESP spi=92950814.
Mar 16 20:18:52 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 192.168.0.24[4500]->73.61.19.6[4500] spi=1485482832(0x588aab50)
Mar 16 20:18:52 Non-Meraki / Client VPN negotiationmsg: IPsec-SA established: ESP/Transport 192.168.0.24[4500]->73.61.19.6[4500] spi=6085396(0x5cdb14)
Mar 16 20:18:49 Non-Meraki / Client VPN negotiationmsg: purged IPsec-SA proto_id=ESP spi=3541076808.
Bruce
Kind of a big deal

Looks like your port forward is working. What logs are you getting on the client end?

DZ-POWER
Here to help

I was able to connected to the Meraki VPN but now i do not have internet access

Bruce
Kind of a big deal

That's because by default the Windows VPN client does a full tunnel, so all your traffic is being sent to the MX by Windows, you need to configure the Windows client to use split tunnel.

DZ-POWER
Here to help

so everything is working fine now , thanks all for the help and guidance and sorry for the delay replying

Bruce
Kind of a big deal

Good to hear it’s working. Well done working through the problems.

Chrysanthea
Conversationalist

Hello! Could you please share how you managed to get it to work? I am having the same exact problem.

DZ-POWER
Here to help

I went into the Netgear router ( usually it's 192.168.x.x) and logged with my credential and then set up a port forwarding

 for port 500 and 4500 ( UDP)   so it goes from my router and forward into the MX64 and that solved the problem .

my  home set  up is a Modem Router that connect to the Mx64 and then it goes to Meraki  switch and Wireless AP .

DZ-POWER
Here to help

only thing i see in the event log in meraki is intrusion detected started

 

I have the client vpn laptop connected to hotspot and i get the l2tp connection attempt failed because of security layer

using the windows vpn connection client for windows10 ( i tried the ip address and server name )

 

DZ-POWER
Here to help

I put in 192.168.1.0/24 when i created the subnet ( that is what is used as an example)

do i need to create that subnet ?? i'm confused

 

under addressing and VLAN i have single lan

192.168.128.0/24  and MX ip 192.168.128.1

 

 

if i do a ping  of 192.168.1.0/24  

ping 192.168.1.0

Pinging 192.168.1.0 with 32 bytes of data:
Reply from 192.168.128.1: Destination host unreachable.
Reply from 192.168.128.1: Destination host unreachable.
Reply from 192.168.128.1: Destination host unreachable.
Reply from 192.168.128.1: Destination host unreachable.

Ping statistics for 192.168.1.0:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels