MX67 Client VPN Issue Using Dynamic DNS

Solved
AaronLMathis
Comes here often

MX67 Client VPN Issue Using Dynamic DNS

Hello all,

I am relatively new to working with Meraki, but I have successfully setup Client VPN on a Meraki MX 67 before.

 

I have installed an MX67 at a customer site, enabled Client VPN using these settings:

 

- Google Public DNS

- No WINS serer

- Authentication: Meraki Cloud

 

I have added myself as a user that is authorized for client VPN through the Meraki dashboard.

 

The customer has service from two ISP's, and the firewall has been configured to use port 2 as a failover (WAN 2).

 
Both WAN connections have a dynamic IP address.
 
Neither ISP modem has been set to bridge mode, but it was my understanding that this was not necessary (and I have not done it in the past when successfully setting up client VPN on a Meraki MX 67.
 
I have disabled all firewall on the ISP device as well.
 
The public IP and the WAN 1 interface IP are the same, so I do not believe NAT is in play here.
 
I set up the VPN connection on my Lenovo Thinkpad running Windows 10 Pro using the guide Meraki provides (Client_VPN_OS_Configuration). Initially, I used the IP address of the active WAN connection. I have also attempted it with the hostname provided by the Meraki dashboard for dynamic DNS.
 
When connecting, I get the error: "The L2TP connection attempt failed because the security layer encountered a processing error"
 
I have encountered this issue in the past and solved them by checking the event log and using google.

However, I am not getting *anything* in the event log on the firewall. It is as if I am not even trying to connect. 
 
Because of this, nothing I have found on the forums is relevant (such as resolving Windows Error 789).
 
Am I doing something obviously wrong? What steps can I take to troubleshoot this?

 

1 Accepted Solution
Nash
Kind of a big deal

You're either going to need to have the ISPs port-forward 500/4500 to your Meraki device, or have them adjust their equip so the WAN IP is on your MX. AKA put it in bridge mode.

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you NAT'ed through udp/500 and udp/4500 on the ISP router through to the MX on the MX's primary connection?

AaronLMathis
Comes here often

I somewhat understand what you are asking, but I am not sure how to test this. I have turned the firewall completely off within the isp router, but I am not sure how to test connectivity on those ports.

Nash
Kind of a big deal

You're either going to need to have the ISPs port-forward 500/4500 to your Meraki device, or have them adjust their equip so the WAN IP is on your MX. AKA put it in bridge mode.

AaronLMathis
Comes here often

Yes - I port forwarded 500 and 4500 on the ISP device and things worked.
Johnie
Here to help

In the meraki , how can i forward those ports?

AaronLMathis
Comes here often

You don't forward the ports in the meraki, you forward them in the ISP modem/router.

 

This is because the data is flowing from WAN (internet) -> ISP Device -> Meraki. What you want, is data on those two ports to flow from WAN->Meraki. Therefore you need to forward them in the ISP Device.

Get notified when there are additional replies to this discussion.