MX64 as a VPN server only

BGFernandes
Comes here often

MX64 as a VPN server only

I have an MX64 that I don't want to use as an internet router/connection but I would like to use it as a VPN server behind a Linksys MR8300. The Mr8300 only supports passthrough not VPN server capable. Can this be done and if so some instruction would be greatly appreciated.

 

Thanks

11 REPLIES 11
BrandonS
Kind of a big deal

I think you can port forward UDP/500 and UDP/4500 to the WAN IP of your MX64 and it may work.

 

 

- Ex community all-star (⌐⊙_⊙)
MarcP
Kind of a big deal

As @BrandonS said this should work, yes.

Not working.  I am missing something I'm sure.  The MX is now connected from the linksys builtin switch going to the MX internet port.  What am I missing here?  Thanks

ww
Kind of a big deal
Kind of a big deal

Did you make the forwarding rules on the linksys to the mx ip?

BGFernandes
Comes here often

Yes I took care of that.  How do I stop the MX from picking up the Public IP now which shows in the summary on the appliance status.

ww
Kind of a big deal
Kind of a big deal

That is just the ip meraki see from the cloud, and the ip you use to connect the vpn session to. The ip the mx has is under the uplink section.

 You see any vpn logging in the event log? 

BGFernandes
Comes here often

I have some events to analyze.  I will do that and post you back.  Thanks 

BGFernandes
Comes here often

This is what the log shows.....

 

msg: ISAKMP-SA established XXX.XXX.XXX.XXX[4500]-6.1.0.1[4500] spi:3cb7ed9bf940c327:50f9aab696cb1a33
Mar 24 15:38:59 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Mar 24 15:38:59 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.

Have you had this working previously without the Linksys or is this the first time setting up client VPN?  Did you follow Client VPN configuration for your client from here? https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

There is also a nice doc about troubleshooting client VPN you may go through (if you did not already): https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

 

 

 

 

- Ex community all-star (⌐⊙_⊙)

Was working like a champ before I put in the link sys in

Try this: https://aerovisionit.co.uk/pptp-and-l2tp-port-forwarding/ It is also mentioned in the troubleshooting link I shared above.  The only part I think is wrong (or at least I disagree) is needing to port forward UDP/1701.  UDP/1701 is used, but outbound only and should not be opened for unsolicited inbound connections.  

 

The reason I think you need that is because now your L2TP server is behind NAT.

- Ex community all-star (⌐⊙_⊙)
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels