MX64 as a VPN server only

BGFernandes
Comes here often

MX64 as a VPN server only

I have an MX64 that I don't want to use as an internet router/connection but I would like to use it as a VPN server behind a Linksys MR8300. The Mr8300 only supports passthrough not VPN server capable. Can this be done and if so some instruction would be greatly appreciated.

 

Thanks

11 REPLIES 11
BrandonS
Kind of a big deal

Re: MX64

I think you can port forward UDP/500 and UDP/4500 to the WAN IP of your MX64 and it may work.

 

 

MarcP
Head in the Cloud

Re: MX64

As @BrandonS said this should work, yes.

BGFernandes
Comes here often

Re: MX64

Not working.  I am missing something I'm sure.  The MX is now connected from the linksys builtin switch going to the MX internet port.  What am I missing here?  Thanks

ww
Kind of a big deal
Kind of a big deal

Re: MX64

Did you make the forwarding rules on the linksys to the mx ip?

BGFernandes
Comes here often

Re: MX64

Yes I took care of that.  How do I stop the MX from picking up the Public IP now which shows in the summary on the appliance status.

ww
Kind of a big deal
Kind of a big deal

Re: MX64

That is just the ip meraki see from the cloud, and the ip you use to connect the vpn session to. The ip the mx has is under the uplink section.

 You see any vpn logging in the event log? 

BGFernandes
Comes here often

Re: MX64

I have some events to analyze.  I will do that and post you back.  Thanks 

BGFernandes
Comes here often

Re: MX64

This is what the log shows.....

 

msg: ISAKMP-SA established XXX.XXX.XXX.XXX[4500]-6.1.0.1[4500] spi:3cb7ed9bf940c327:50f9aab696cb1a33
Mar 24 15:38:59 Non-Meraki / Client VPN negotiationmsg: invalid DH group 19.
Mar 24 15:38:59 Non-Meraki / Client VPN negotiationmsg: invalid DH group 20.
BrandonS
Kind of a big deal

Re: MX64

Have you had this working previously without the Linksys or is this the first time setting up client VPN?  Did you follow Client VPN configuration for your client from here? https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

There is also a nice doc about troubleshooting client VPN you may go through (if you did not already): https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

 

 

 

 

BGFernandes
Comes here often

Re: MX64

Was working like a champ before I put in the link sys in

BrandonS
Kind of a big deal

Re: MX64

Try this: https://aerovisionit.co.uk/pptp-and-l2tp-port-forwarding/ It is also mentioned in the troubleshooting link I shared above.  The only part I think is wrong (or at least I disagree) is needing to port forward UDP/1701.  UDP/1701 is used, but outbound only and should not be opened for unsolicited inbound connections.  

 

The reason I think you need that is because now your L2TP server is behind NAT.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.