Meraki

Community

MX 15.34 beta client VPN

MIS-Schuyler
Conversationalist
‎Aug 20 2020 9:04 AM
‎Aug 20 2020 9:04 AM

MX 15.34 beta client VPN

We upgraded an MX64 to the 15.34 beta to test out the new IKEv2 and improved crypto support for site-to-site VPNs, but have run into issues with the client VPN on this version. No Windows 10 (1909 and 2004) clients appear to be able to connect to the client VPN using the traditional L2TP-PSK/IPsec setup for Meraki. When trying to connect, the UI displays the error:

 

The L2TP  connection attempt failed because the security layer could not negotiate compatible parameters with the remote computer.

 

In the event log, RasClient logs error 788.

 

I assume the updated crypto has something to do with it, especially as this error indicates that no compatible crypto suites were negotiated. Am I missing something, or is this a known issue with the beta firmware?

5 Replies 5
MIS-Schuyler
Conversationalist
‎Aug 25 2020 5:27 AM
‎Aug 25 2020 5:27 AM

I've now verified this behavior on another MX64, so it doesn't seem to be unique to this network.

0 Kudos
In response to MIS-Schuyler
RobertFerguson
Conversationalist
‎Aug 25 2020 1:23 PM
‎Aug 25 2020 1:23 PM

We have an MX100 on 15.34 for IKEv2.  We started experiancing the same issue where 2 client VPN users on the same network attempting to logon to the client VPN on the MX100.   We have an MX84 on the latest stable release of version 14 where this is not a problem.

0 Kudos
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 25 2020 1:37 PM
‎Aug 25 2020 1:37 PM

Perhaps the MX is now forcing IKEv2 on the clientVPN too with ciphers your windows client doesn’t want to negotiate. A packet capture on ports 500 and 4500 on your WAN interface will show some details.

0 Kudos
In response to GIdenJoe
RobertFerguson
Conversationalist
‎Aug 28 2020 7:59 AM
‎Aug 28 2020 7:59 AM

Thank you - I've opened a ticket with support.  I will update this string when I have a reply.  According to the packet captures, they can see the second request reaching the MX but not leaving the MX to go to the radius server.   More later.

0 Kudos
In response to RobertFerguson
GIdenJoe
Kind of a big deal
Kind of a big deal
‎Aug 29 2020 11:10 PM
‎Aug 29 2020 11:10 PM

I'm pretty sure you can change the cipher options in windows.
I'd have to google it though 🙂

 

Edit: There was a graphical tool to use for all your VPN's however you can add a single VPN with powershell to use a specific ciphersuite.

 

Add-VpnConnection -Name "MyVPN" -ServerAddress <VPN_WAN_IP> -TunnelType "L2tp" Set-VpnConnectionIPsecConfiguration -ConnectionName "MyVPN" -AuthenticationTransformConstants SHA196 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -PfsGroup ECP256 -DHGroup Group14

This still needs the psk switch but you get the point.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.