I still cant get my Client VPN to work

SOLVED
route_map
Building a reputation

I still cant get my Client VPN to work

I keep getting "The L2TP connection attempt failed because of the security layer encounted a processing error during initial negotians with the remote computer.

 

My shared secret is correct. The service is enabled, My ISP says the ports arent blocked

Under uplink configuration my Public IP and WAN 1 ips are different.  what could i be missing

1 ACCEPTED SOLUTION
Nash
Kind of a big deal

@route_map It sounds like you've got a typical fiber connection from your ISP, where they give you a router. Am I right?

 

Have you talked to your ISP about putting the fiber router into "bridge mode" so that it passes the public IP directly to your MX? That fiber router is currently treating you as a normal internal client.

 

If they can't do that, ask them why their router is handing out an RFC 1918/private space instead of handing out public IP addresses. Tell them you need a static public IP address for your firewall.

View solution in original post

22 REPLIES 22
timeshimanshu
Getting noticed

Are you using a public ip on MX interface? if yes, i don't think there will be any challenge. just follow below URL. 

 

client vpn will establish through MX public ip go to Security & SDWAN>Uplink  to check the ip

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

route_map
Building a reputation

i have gone through all docs, and nothing,
Kamome
Building a reputation

Do you mean MX's Public IP and WAN1's IP config are different?

 

 

2019_07_16_17_44_49_Security_Appliances_Meraki_Dashboard.png

route_map
Building a reputation

yes, now i am wondering if there is an additional step 

Kamome
Building a reputation

Well, then it seems your MX device is behind NAT gateway - such as Firewall or UTM.
In that case, you just cannot contact to MX via it's Public IP until do 1:1 NAT configuration to NAT gateway that MX is connected.
Could you show me your MX's uplink IP status? I need just first 1~2 octets, not whole IP.

Are we sure that we have public ip configured on the MX? if yes try with server name this time not with the IP.

route_map
Building a reputation

vpn issue.PNG

You are using private ip's it can't be possible without 1:1 nating . 

route_map
Building a reputation

please share example of what i should do

you can't do it on MX now since there is another upstream device who is performing Nating. can you ask your ISP to do the Nating for you.

 

or there is another way i believe you can establish client vpn via MX name not with ip. it should work.

route_map
Building a reputation

I am using the MX name

Are you using it now or earlier you have tried with MX name?

 

route_map
Building a reputation

i am using it now, with the MX NAme,
doesnt work.
so my connection is like this..
Internet - ISP Fibre router - MX
MX gets a dhcp WAN address from the fibre router of 192.168.0.0.
Public address starts with 196.
LAN address is 192.168.20.0
how do i get this working


@route_map wrote:
i am using it now, with the MX NAme,
doesnt work.
so my connection is like this..
Internet - ISP Fibre router - MX
MX gets a dhcp WAN address from the fibre router of 192.168.0.0.
Public address starts with 196.
LAN address is 192.168.20.0
how do i get this working

I have a MX that uplinks using a 192.168.22/28 address to a LAN port on another security device (aka Kharon).

 

Kharon's WAN port connects to the Internet via a modem. Kharon receives a PPPoE/PPPoA dynamic external IP address from the ISP.

 

On the MX, the external IP address shows on the Security Appliance > Status > Uplinks page under the heading General as the Public IP

 

There is also a Z3C attached to a port on the MX. Its status page also shows the same external IP address, when directly connected to the MX

 

Kharon does not have NAT disabled.

 

I can establish M2M VPN connections, but not VPN Client connections. I have tried connecting from an Android device and a Win 10 Pro workstation. As far as I can tell, the problem is as likely to be Win 10/Android as the MX.

 

I am considering using a StrongSwan client.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Nash
Kind of a big deal

@route_map It sounds like you've got a typical fiber connection from your ISP, where they give you a router. Am I right?

 

Have you talked to your ISP about putting the fiber router into "bridge mode" so that it passes the public IP directly to your MX? That fiber router is currently treating you as a normal internal client.

 

If they can't do that, ask them why their router is handing out an RFC 1918/private space instead of handing out public IP addresses. Tell them you need a static public IP address for your firewall.

Uberseehandel
Kind of a big deal


@Nash wrote:

@route_map It sounds like you've got a typical fiber connection from your ISP, where they give you a router. Am I right?

 

Have you talked to your ISP about putting the fiber router into "bridge mode" so that it passes the public IP directly to your MX? That fiber router is currently treating you as a normal internal client.

 

If they can't do that, ask them why their router is handing out an RFC 1918/private space instead of handing out public IP addresses. Tell them you need a static public IP address for your firewall.


I have an MX that uplinks to a router on a private IP address (192.168.22.0/28), the router, which has NAT translation activated, passes it through to the internet, despite the public address being dynamic, the MX uses this as the external IP address, and copes with changes. From that, one might infer that the lack of a public IP address is not the sole problem. The ONT/fiber router may be expecting traffic to be tagged, or some form of PPPoE/PPPoA configured, sounds like Wiresharking is called for.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Nash
Kind of a big deal

@Uberseehandel My question for you would be similar. Is there a reason why your MX has to be behind a NAT device?

 

If it's got to be behind a NAT device, then next step is port forwarding ports UDP 500, UDP 1701, and UDP 4500 (iirc) from the edge router to your MX's WAN IP.

 

Then connect your VPN to the external IP of the router. For ease of use, you might setup a DNS record for vpn.yourdomain.tld.

Uberseehandel
Kind of a big deal


@Nash wrote:

@Uberseehandel My question for you would be similar. Is there a reason why your MX has to be behind a NAT device?

 

If it's got to be behind a NAT device, then next step is port forwarding ports UDP 500, UDP 1701, and UDP 4500 (iirc) from the edge router to your MX's WAN IP.

 

Then connect your VPN to the external IP of the router. For ease of use, you might setup a DNS record for vpn.yourdomain.tld.


The NAT-enabled router ahead of the MX passes through everything required for the Z3C to connect to the MX, using Site-2-Site VPN when the Z3C is using its LTE modem.

 

I shall specifically check that the required port forwarding is configured on the upstream router.

 

I will explore using Dynamic DNS on the upstream router. I don't know if there will be any problems doing this as the MX uplinks to the router LAN port on a private address and the router WAN connection is established using PPPoE/PPPoA (passing through the modem). I do have a last resort option that is "undocumented", so may not last forever.

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
Nash
Kind of a big deal

Just FYI, the MX can absolutely handle PPPoE. https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Support_for_PPPoE_on_Cisco_Mer...

 

If I understand your scenario correctly, we'll normally work with the ISP (if necessary) to move the PPPoE login to the MX from the ISP device. You can do so from the local status page, as per the doc above.

Uberseehandel
Kind of a big deal


@Nash wrote:

Just FYI, the MX can absolutely handle PPPoE. https://documentation.meraki.com/zGeneral_Administration/Other_Topics/Support_for_PPPoE_on_Cisco_Mer...

 

If I understand your scenario correctly, we'll normally work with the ISP (if necessary) to move the PPPoE login to the MX from the ISP device. You can do so from the local status page, as per the doc above.


Yes, I know the MX can handle PPPoE; I had to use an additional security appliance ahead of the MX to make up for all the functionality that the MX lacks, and that Meraki is showing scant signs of addressing. 

 

There is no need for the PPPoE login to be moved from the gateway appliance to the MX, as I have said previously - 

 

"I have an MX that uplinks to a router on a private IP address (192.168.22.0/28), the router, which has NAT translation activated, passes it through to the internet, despite the public address being dynamic, the MX uses this as the external IP address, and copes with changes."

 

Thank you for your assistance in this matter. It was the lack of required functionality in the MX that created the need for an additional security appliance ahead of the MX, to do what the MX doesn't do. Otherwise, I would still be using PPPoE/PPPoA on the MX.

 

 

Robin St.Clair | Principal, Caithness Analytics | @uberseehandel
route_map
Building a reputation

this is exactly what the setup is like. I have asked the quesion and it turns out that on port 2 of the ISP switch/router is where you get the RFC1918 space address.

On port 4 i have a public ip range and i can configure it manually and it is working thank you
PhilipDAth
Kind of a big deal
Kind of a big deal

I've had issues with devices when using a complex PSK.  If you are using a complex PSK perhaps try a simpler one.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels