We are in the process of upgrading to MX75 Firewalls and while testing the remote access VPN connections we have found that Windows 10 clients will establish a VPN connection, but Windows 11 clients will receive the error " The L2TP connection attempt failed because the security layer encounter a processing error during initial negotiations. I've used the settings in the screenshot below and on the Windows 11 PC I've tried Routing and Remote Access service and set to automatically start , but I still get the same error.
Has anyone experienced this and know of a workaround other that buying the AnyConnect licenses?
Solved! Go to solution.
This is the solution that worked for me:
Enable the Routing and Remote Access service and set to automatically start
Enable the IPSec Policy Agent service and set to automatically start
You don't need buy the anyconnect license, it's recommend if you want to have Meraki support's, but you can use it without buy a license.
That is not strictly correct.
You require a Secure Client AnyConnect licence for every user. It is an honesty licence, so it is not enforced. I imagine if the abuse gets too much, it will become enforced.
So the product Meraki sold us doesn't work, so their solution is to pay an addition license fee? I don't feel that that is acceptable or ethical business practice.
I have given you the free options to try ...
Cisco Secure AnyConnect is better in every way (except price) than Microsoft VPN. You don't have to use it - but it has so many benefits pretty much everyone does.
Yes, but the documentation is very clear that it will not stop working. The correct thing is to have the license, but the MX has no limitations.
Check the troubleshooting documentation.
This may be related to the MX75's firmware version. Perhaps try upgrading or downgrading. I would be most tempted to test 18.107.8 or 18.208 (18.208 seems to have been issued with 1:1 NAT, though).
You can try using my wizard to generate a powershell script to configure the VPN. It also configures a couple of registry entries that airs in compatibility.
https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html
Taking a step back and looking at the big picture, I would personally change to using Cisco Secure Client AnyConnect. It is better in every way (except price).
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance
Take a look at this article: https://community.meraki.com/t5/Security-SD-WAN/Connecting-to-VPN-from-Windows-11/m-p/173543
Microsoft took away some of the settings in the native Windows 11 VPN client that were present in the Windows 10 VPN client. But if you run the rasphone.exe program, you can set the additional configurations items that are needed to connect to an MX from Windows 11. I have customers that are connecting to MX appliances from Windows 11 computers using the native VPN client everyday and it works fine.
This is the solution that worked for me:
Enable the Routing and Remote Access service and set to automatically start
Enable the IPSec Policy Agent service and set to automatically start