cancel
Showing results for 
Search instead for 
Did you mean: 

MX68 Client VPN

Getting noticed

MX68 Client VPN

I'm on my second day of using the MX68.  When I connect to Client VPN, I get this message "The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer"

 

I'm using the native Windows 10 VPN client.  I'm using the correct preshared key, username and password.

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

Since I'm using a trial MX68, we're already using the same public IP on the Cisco 2911 router to connect to VPN.  Is that the reason?  If yes, do I need to get a different public IP for the MX?

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789

14 REPLIES 14
A model citizen

Re: MX68 Client VPN

Yeah, it'll need its own IP.

Kind of a big deal

Re: MX68 Client VPN

Or forward UDP 500 and 4500 through to the MX. 

Getting noticed

Re: MX68 Client VPN

Thanks. That will be the simplest solution
Getting noticed

Re: MX68 Client VPN

Do I forward from the modem or from the Cisco router?

Highlighted
A model citizen

Re: MX68 Client VPN

Is the MX sitting behind the modem or the Cisco router? If it's behind the modem then do that in the modem, if it's behind the Cisco do it in the Cisco.

Kind of a big deal

Re: MX68 Client VPN

The Client VPN is IPSec based.

It sounds like your 2911 is also running an IPSec VPN.

 

You can't forward te required ports, because it would break the VPN on the 2911.

 

This is not a workable situation.

Getting noticed

Re: MX68 Client VPN

So the only option is to get a separate public ip for the Meraki VPN?

Kind of a big deal

Re: MX68 Client VPN

That is the best and most reliable option.

Getting noticed

Re: MX68 Client VPN

Thanks for all of you guys help. I think getting a public is the simplest solution. 

Kind of a big deal

Re: MX68 Client VPN


@PhilipDAth wrote:

The Client VPN is IPSec based.

It sounds like your 2911 is also running an IPSec VPN.

 

You can't forward te required ports, because it would break the VPN on the 2911.

 

This is not a workable situation.


Shoot., I missed that part. Nice catch @PhilipDAth

Head in the Cloud

Re: MX68 Client VPN

Depends on whether that's an outgoing tunnel I guess.

Kind of a big deal

Re: MX68 Client VPN

The Client VPN is always inbound.

 

As soon as you try and NAT udp/500 and udp/4500 through to the MX it would break all IPSec functionality on the 2911 - as any of those packets would get forwarded.

I'm not sure if the 2911 would even let you configure that NAT translation with IPSec configured.

Head in the Cloud

Re: MX68 Client VPN

Hmm. He didn't say the vpn on his Cisco is client vpn? In fact he didn't even say it was ipsec?

Kind of a big deal

Re: MX68 Client VPN

>Hmm. He didn't say the vpn on his Cisco is client vpn? In fact he didn't even say it was ipsec?

 

If it was an SSL VPN there would be no issues.  The most probably reason it broke (IMHO) is because it is using the same ports, meaning it is using IPSec also.  I have not idea if the 2911 is using site to site or client VPN, but if it is using IPSec, it really doesn't matter.

Only one thing can process the IPSec UDP ports at a time.

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.