Meraki MX 80 behind Firewall: No vpn for Windows Clients

Solved
MiBob
Comes here often

Meraki MX 80 behind Firewall: No vpn for Windows Clients

Dear community,

we are currently changing the network infrastructure at a customer location. One of the first steps was to put the existing Meraki MX 80 behind a new pfSense firewall. Everything is working fine except connecting from outside windows machines to the Merkai IPsec vpn gate. Macs running on the same network as the windows machines did connect within 2-3 seconds, iPhones, Androids, no problems, just the windows 7, 8, 10 boxes telling that the vpn server does not respond. On the other hand, ping from the windows box to the Meraki does work. Meraki dashboard also shows no existing problems.

The public fixed ip previously assigned to the Merkai is now configured on the firewall. There are NAT entries for the ports tcp/udp 500 und 4500 to be send to the Merkai and an 1:1 outbound nating that everything comming from the Meraki will be send through its old public ip. 

It looks like I am missing the point but I could not find the right clue. May be someone on the board can send me in the right direction.

Best regards,

Mike Bobkiewicz

1 Accepted Solution
MRCUR
Kind of a big deal

9 Replies 9
Adam
Kind of a big deal

If the Mac, Android and iPhones connect to the VPN properly but the Windows machines don't I'd start by verifying the client VPN configuration on the Windows machines. Seems possible that a common element needs to be corrected on those.
Adam R MS | CISSP, CISM, VCP, MCITP, CCNP, ITILv3, CMNO
If this was helpful click the Kudo button below
If my reply solved your issue, please mark it as a solution.
MiBob
Comes here often

That is the thing that puzzles me: before the Meraki was set behind the firewall the same windows clients could connect to the box. After the problem popped up I did a clean install of a Win 10 Pro at a remote location and followed the Meraki documentation step by step to configure the l2tp connection. Does not work, iPhone on the wlan of that location just logged in.
MRCUR
Kind of a big deal

@MiBob You may need to make the registry change found here: https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t...

MRCUR | CMNO #12
MiBob
Comes here often

This help document seems to be for windows vista / w2k8 l2tp servers. Non of these systems are involved and the Meraki is the vpn server.

Best regards,

 

Mike

MRCUR
Kind of a big deal

@MiBob It still applies. See here: https://justworks.ca/blog/what-happened-to-my-vpns-on-windows-72008r2

MRCUR | CMNO #12
MiBob
Comes here often

Thank you very much for the clarification! I will give it a try tomorrow afternoon and report back if it works.

Best regards,

Mike

MiBob
Comes here often

Thank you so much! Works on my clean Win 10 Pro box. I will roll it out to my clients so they can check it on their older systems. When I run into some other problems I will come back, till then assume the problem as solved.

 

Best regards,

 

Mike

PhilipDAth
Kind of a big deal
Kind of a big deal

Is there any chance that pfSense has some kind of VPN support on it (such as IPSec/PPTP, etc) and Windows is attempting some other kind of VPN before L2TP and getting a response from pfSense which is causing the issue?  I would try and make sure all types of VPN are disabled on pfSense.

MiBob
Comes here often

No there are no additional vpn services on the pfSense configured and running. All vpn accounts are handled by the Meraki cloud.

 

Best regards,

 

Mike

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels