i have gone through all docs, and nothing,

yes, now i am wondering if there is an additional step 

Well, then it seems your MX device is behind NAT gateway - such as Firewall or UTM.
In that case, you just cannot contact to MX via it's Public IP until do 1:1 NAT configuration to NAT gateway that MX is connected.
Could you show me your MX's uplink IP status? I need just first 1~2 octets, not whole IP.

Are we sure that we have public ip configured on the MX? if yes try with server name this time not with the IP.

You are using private ip's it can't be possible without 1:1 nating . 

please share example of what i should do

you can't do it on MX now since there is another upstream device who is performing Nating. can you ask your ISP to do the Nating for you.

 

or there is another way i believe you can establish client vpn via MX name not with ip. it should work.

I am using the MX name

Are you using it now or earlier you have tried with MX name?

 

i am using it now, with the MX NAme,
doesnt work.
so my connection is like this..
Internet - ISP Fibre router - MX
MX gets a dhcp WAN address from the fibre router of 192.168.0.0.
Public address starts with 196.
LAN address is 192.168.20.0
how do i get this working

---

@route_map wrote:
i am using it now, with the MX NAme,
doesnt work.
so my connection is like this..
Internet - ISP Fibre router - MX
MX gets a dhcp WAN address from the fibre router of 192.168.0.0.
Public address starts with 196.
LAN address is 192.168.20.0
how do i get this working

---

I have a MX that uplinks using a 192.168.22/28 address to a LAN port on another security device (aka Kharon).

 

Kharon's WAN port connects to the Internet via a modem. Kharon receives a PPPoE/PPPoA dynamic external IP address from the ISP.

 

On the MX, the external IP address shows on the Security Appliance > Status > Uplinks page under the heading General as the Public IP

 

There is also a Z3C attached to a port on the MX. Its status page also shows the same external IP address, when directly connected to the MX

 

Kharon does not have NAT disabled.

 

I can establish M2M VPN connections, but not VPN Client connections. I have tried connecting from an Android device and a Win 10 Pro workstation. As far as I can tell, the problem is as likely to be Win 10/Android as the MX.

 

I am considering using a StrongSwan client.

---

@Nash wrote:

@route_map It sounds like you've got a typical fiber connection from your ISP, where they give you a router. Am I right?

 

Have you talked to your ISP about putting the fiber router into "bridge mode" so that it passes the public IP directly to your MX? That fiber router is currently treating you as a normal internal client.

 

If they can't do that, ask them why their router is handing out an RFC 1918/private space instead of handing out public IP addresses. Tell them you need a static public IP address for your firewall.

---

I have an MX that uplinks to a router on a private IP address (192.168.22.0/28), the router, which has NAT translation activated, passes it through to the internet, despite the public address being dynamic, the MX uses this as the external IP address, and copes with changes. From that, one might infer that the lack of a public IP address is not the sole problem. The ONT/fiber router may be expecting traffic to be tagged, or some form of PPPoE/PPPoA configured, sounds like Wiresharking is called for.

@Uberseehandel My question for you would be similar. Is there a reason why your MX has to be behind a NAT device?

 

If it's got to be behind a NAT device, then next step is port forwarding ports UDP 500, UDP 1701, and UDP 4500 (iirc) from the edge router to your MX's WAN IP.

 

Then connect your VPN to the external IP of the router. For ease of use, you might setup a DNS record for vpn.yourdomain.tld.

---

@Nash wrote:

@Uberseehandel My question for you would be similar. Is there a reason why your MX has to be behind a NAT device?

 

If it's got to be behind a NAT device, then next step is port forwarding ports UDP 500, UDP 1701, and UDP 4500 (iirc) from the edge router to your MX's WAN IP.

 

Then connect your VPN to the external IP of the router. For ease of use, you might setup a DNS record for vpn.yourdomain.tld.

---

The NAT-enabled router ahead of the MX passes through everything required for the Z3C to connect to the MX, using Site-2-Site VPN when the Z3C is using its LTE modem.

 

I shall specifically check that the required port forwarding is configured on the upstream router.

 

I will explore using Dynamic DNS on the upstream router. I don't know if there will be any problems doing this as the MX uplinks to the router LAN port on a private address and the router WAN connection is established using PPPoE/PPPoA (passing through the modem). I do have a last resort option that is "undocumented", so may not last forever.

Just FYI, the MX can absolutely handle PPPoE. https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Support_for_PPPoE_on_Cisco_Mer...

 

If I understand your scenario correctly, we'll normally work with the ISP (if necessary) to move the PPPoE login to the MX from the ISP device. You can do so from the local status page, as per the doc above.

---

@Nash wrote:

Just FYI, the MX can absolutely handle PPPoE. https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Support_for_PPPoE_on_Cisco_Mer...

 

If I understand your scenario correctly, we'll normally work with the ISP (if necessary) to move the PPPoE login to the MX from the ISP device. You can do so from the local status page, as per the doc above.

---

Yes, I know the MX can handle PPPoE; I had to use an additional security appliance ahead of the MX to make up for all the functionality that the MX lacks, and that Meraki is showing scant signs of addressing. 

 

There is no need for the PPPoE login to be moved from the gateway appliance to the MX, as I have said previously - 

 

"I have an MX that uplinks to a router on a private IP address (192.168.22.0/28), the router, which has NAT translation activated, passes it through to the internet, despite the public address being dynamic, the MX uses this as the external IP address, and copes with changes."

 

Thank you for your assistance in this matter. It was the lack of required functionality in the MX that created the need for an additional security appliance ahead of the MX, to do what the MX doesn't do. Otherwise, I would still be using PPPoE/PPPoA on the MX.

 

 

this is exactly what the setup is like. I have asked the quesion and it turns out that on port 2 of the ISP switch/router is where you get the RFC1918 space address.

On port 4 i have a public ip range and i can configure it manually and it is working thank you