MX68 Client VPN

tantony
Head in the Cloud

MX68 Client VPN

I'm on my second day of using the MX68.  When I connect to Client VPN, I get this message "The L2TP connection attempt failed because the security layer encountered a processing error during the initial negotiations with the remote computer"

 

I'm using the native Windows 10 VPN client.  I'm using the correct preshared key, username and password.

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

Since I'm using a trial MX68, we're already using the same public IP on the Cisco 2911 router to connect to VPN.  Is that the reason?  If yes, do I need to get a different public IP for the MX?

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_789

14 Replies 14
MacuserJim
A model citizen

Yeah, it'll need its own IP.

jdsilva
Kind of a big deal

Or forward UDP 500 and 4500 through to the MX. 

tantony
Head in the Cloud

Do I forward from the modem or from the Cisco router?

MacuserJim
A model citizen

Is the MX sitting behind the modem or the Cisco router? If it's behind the modem then do that in the modem, if it's behind the Cisco do it in the Cisco.

PhilipDAth
Kind of a big deal
Kind of a big deal

The Client VPN is IPSec based.

It sounds like your 2911 is also running an IPSec VPN.

 

You can't forward te required ports, because it would break the VPN on the 2911.

 

This is not a workable situation.

tantony
Head in the Cloud

So the only option is to get a separate public ip for the Meraki VPN?

PhilipDAth
Kind of a big deal
Kind of a big deal

That is the best and most reliable option.

tantony
Head in the Cloud

Thanks for all of you guys help. I think getting a public is the simplest solution. 

jdsilva
Kind of a big deal


@PhilipDAth wrote:

The Client VPN is IPSec based.

It sounds like your 2911 is also running an IPSec VPN.

 

You can't forward te required ports, because it would break the VPN on the 2911.

 

This is not a workable situation.


Shoot., I missed that part. Nice catch @PhilipDAth

BrechtSchamp
Kind of a big deal

Depends on whether that's an outgoing tunnel I guess.

PhilipDAth
Kind of a big deal
Kind of a big deal

The Client VPN is always inbound.

 

As soon as you try and NAT udp/500 and udp/4500 through to the MX it would break all IPSec functionality on the 2911 - as any of those packets would get forwarded.

I'm not sure if the 2911 would even let you configure that NAT translation with IPSec configured.

BrechtSchamp
Kind of a big deal

Hmm. He didn't say the vpn on his Cisco is client vpn? In fact he didn't even say it was ipsec?

PhilipDAth
Kind of a big deal
Kind of a big deal

>Hmm. He didn't say the vpn on his Cisco is client vpn? In fact he didn't even say it was ipsec?

 

If it was an SSL VPN there would be no issues.  The most probably reason it broke (IMHO) is because it is using the same ports, meaning it is using IPSec also.  I have not idea if the 2911 is using site to site or client VPN, but if it is using IPSec, it really doesn't matter.

Only one thing can process the IPSec UDP ports at a time.

tantony
Head in the Cloud

Thanks. That will be the simplest solution
Get notified when there are additional replies to this discussion.