MX75 Windows Remote Access VPM Client won't connect from Windows 11 PC using the Documented Settin

Solved
MichaelAdcock
Conversationalist

MX75 Windows Remote Access VPM Client won't connect from Windows 11 PC using the Documented Settin

We are in the process of upgrading to MX75 Firewalls and while testing the remote access VPN connections we have found that Windows 10 clients will establish a VPN connection, but Windows 11 clients will receive the error " The L2TP connection attempt failed because the security layer encounter a processing error during initial negotiations. I've used the settings in the screenshot below and on the Windows 11 PC I've tried Routing and Remote Access service and set to automatically start , but I still get the same error. 

MichaelAdcock_0-1709671715082.png

Has anyone experienced this and know of a workaround other that buying the AnyConnect licenses? 

1 Accepted Solution
MichaelAdcock
Conversationalist

This is the solution that worked for me:

Enable the Routing and Remote Access service and set to automatically start

Enable the IPSec Policy Agent service and set to automatically start

  1. Launch Registry Editor with admin rights.
  2. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  4. Paste AssumeUDPEncapsulationContextOnSendRule as the value name.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule and choose Modify.
  6. At Value data, type 2.
  7. Set Base to Hexadecimal.
  8. Click OK.
  9. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
  10. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  11. Paste ProhibitIpSec as the value name.
  12. Right-click ProhibitIpSec and choose Modify.
  13. At Value data, type 0.
  14. Set Base to Hexadecimal.
  15. Click OK.
  16. Restart the PC.

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal

You don't need buy the anyconnect license, it's recommend if you want to have Meraki support's, but you can use it without buy a license.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

That is not strictly correct.

 

You require a Secure Client AnyConnect licence for every user.  It is an honesty licence, so it is not enforced.  I imagine if the abuse gets too much, it will become enforced.

MichaelAdcock
Conversationalist

So the product Meraki sold us doesn't work, so their solution is to pay an addition license fee? I don't feel that that is acceptable or ethical business practice.   

PhilipDAth
Kind of a big deal
Kind of a big deal

I have given you the free options to try ...

 

Cisco Secure AnyConnect is better in every way (except price) than Microsoft VPN.  You don't have to use it - but it has so many benefits pretty much everyone does.

alemabrahao
Kind of a big deal
Kind of a big deal

Yes, but the documentation is very clear that it will not stop working. The correct thing is to have the license, but the MX has no limitations.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance/AnyConnect_Licensing_o...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

Check the troubleshooting documentation.

.https://documentation.meraki.com/MX/Client_VPN/Guided_Client_VPN_Troubleshooting/Unable_to_Connect_t...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

This may be related to the MX75's firmware version. Perhaps try upgrading or downgrading. I would be most tempted to test 18.107.8 or 18.208 (18.208 seems to have been issued with 1:1 NAT, though).

 

You can try using my wizard to generate a powershell script to configure the VPN.  It also configures a couple of registry entries that airs in compatibility.

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

 

Taking a step back and looking at the big picture, I would personally change to using Cisco Secure Client AnyConnect.  It is better in every way (except price).

https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance 

jbright
A model citizen

Take a look at this article: https://community.meraki.com/t5/Security-SD-WAN/Connecting-to-VPN-from-Windows-11/m-p/173543

Microsoft took away some of the settings in the native Windows 11 VPN client that were present in the Windows 10 VPN client. But if you run the rasphone.exe program, you can set the additional configurations items that are needed to connect to an MX from Windows 11. I have customers that are connecting to MX appliances from Windows 11 computers using the native VPN client everyday and it works fine.

MichaelAdcock
Conversationalist

This is the solution that worked for me:

Enable the Routing and Remote Access service and set to automatically start

Enable the IPSec Policy Agent service and set to automatically start

  1. Launch Registry Editor with admin rights.
  2. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  4. Paste AssumeUDPEncapsulationContextOnSendRule as the value name.
  5. Right-click AssumeUDPEncapsulationContextOnSendRule and choose Modify.
  6. At Value data, type 2.
  7. Set Base to Hexadecimal.
  8. Click OK.
  9. Go to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan
  10. Open the Edit menu > New submenu and click DWORD (32-bit) Value.
  11. Paste ProhibitIpSec as the value name.
  12. Right-click ProhibitIpSec and choose Modify.
  13. At Value data, type 0.
  14. Set Base to Hexadecimal.
  15. Click OK.
  16. Restart the PC.
Get notified when there are additional replies to this discussion.