MX67 Client VPN Issue Using Dynamic DNS

Solved
AaronLMathis
Comes here often

MX67 Client VPN Issue Using Dynamic DNS

Hello all,

I am relatively new to working with Meraki, but I have successfully setup Client VPN on a Meraki MX 67 before.

 

I have installed an MX67 at a customer site, enabled Client VPN using these settings:

 

- Google Public DNS

- No WINS serer

- Authentication: Meraki Cloud

 

I have added myself as a user that is authorized for client VPN through the Meraki dashboard.

 

The customer has service from two ISP's, and the firewall has been configured to use port 2 as a failover (WAN 2).

 
Both WAN connections have a dynamic IP address.
 
Neither ISP modem has been set to bridge mode, but it was my understanding that this was not necessary (and I have not done it in the past when successfully setting up client VPN on a Meraki MX 67.
 
I have disabled all firewall on the ISP device as well.
 
The public IP and the WAN 1 interface IP are the same, so I do not believe NAT is in play here.
 
I set up the VPN connection on my Lenovo Thinkpad running Windows 10 Pro using the guide Meraki provides (Client_VPN_OS_Configuration). Initially, I used the IP address of the active WAN connection. I have also attempted it with the hostname provided by the Meraki dashboard for dynamic DNS.
 
When connecting, I get the error: "The L2TP connection attempt failed because the security layer encountered a processing error"
 
I have encountered this issue in the past and solved them by checking the event log and using google.

However, I am not getting *anything* in the event log on the firewall. It is as if I am not even trying to connect. 
 
Because of this, nothing I have found on the forums is relevant (such as resolving Windows Error 789).
 
Am I doing something obviously wrong? What steps can I take to troubleshoot this?

 

1 Accepted Solution
Nash
Kind of a big deal

You're either going to need to have the ISPs port-forward 500/4500 to your Meraki device, or have them adjust their equip so the WAN IP is on your MX. AKA put it in bridge mode.

View solution in original post

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Have you NAT'ed through udp/500 and udp/4500 on the ISP router through to the MX on the MX's primary connection?

AaronLMathis
Comes here often

I somewhat understand what you are asking, but I am not sure how to test this. I have turned the firewall completely off within the isp router, but I am not sure how to test connectivity on those ports.

Nash
Kind of a big deal

You're either going to need to have the ISPs port-forward 500/4500 to your Meraki device, or have them adjust their equip so the WAN IP is on your MX. AKA put it in bridge mode.

AaronLMathis
Comes here often

Yes - I port forwarded 500 and 4500 on the ISP device and things worked.
Johnie
Here to help

In the meraki , how can i forward those ports?

AaronLMathis
Comes here often

You don't forward the ports in the meraki, you forward them in the ISP modem/router.

 

This is because the data is flowing from WAN (internet) -> ISP Device -> Meraki. What you want, is data on those two ports to flow from WAN->Meraki. Therefore you need to forward them in the ISP Device.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels