Thanks for your quick reply, 

it's running of 4G as the only uplink, and it's using the integrated sim slot in the Meraki MX68CW.

The steps that I did: (i am using MacOS)

1- enable Client-VPN on the dashboard
2- 

3- Create the VPN following up the Step-to-step instructions for mac on the Meraki website.

4- that what I get when I try to connect:


Keep in mind that on the Appliance status > uplink  the public IP is different the ip on the cellular.

Tihs is almost certainly an issue with your cellular carrier filtering inboud traffic to you.

With any luck you carrier will offer an APN where they do not do this.  If you Google the name of your carrier and terms like "L2TP" or "VPN" and "APN" you might be able to find this.

Once you have an APN you can use you'll need to open a support case and ask them to configure the MX68 to use that APN.

You are a legend with your quick reply any both topics I posted so far!! 



as far as I know, that was already done, the APN was already changed by default, I didn't even have to change it manually.

am i missing something still ?

Just use AnyConnect. 

I ran into a similar issue recently (cell wouldn't work, but it worked fine with a laptop) so I just had him download the AnyConnect client and it worked perfectly right out of the gate. 

Hi mate thanks for response.  

Just to clarify though, AnyConnect I presume is still going to require inbound 443 connections to the Meraki MX which from my understanding is an issue for this scenario as it is using a 4G Cellular only connection.  Is that correct? 

I'm not sure if there is something additional required to enable a specific APN(telstra.extranet) in the Meraki MX to enable it connect to this specific APN and then see these inbound connections. 

I think by default, on the ISP side(Telstra), they filter inbound connections on udp/500, udp/4500 or even tcp/443 for standard 4G services.

Philip earlier in this thread has mention Meraki May have to do something to enable a different APN on the MX...  "Once you have an APN you can use you'll need to open a support case and ask them to configure the MX68 to use that APN."

Cheers

If they are blocking 443, you can put it on another port, it's configurable. I'd give it a shot, it's more apt to work than L2TP. 

Good point on the NAT, I can see a 10.10---- in his screenshot where he edited out the cellular IP address. 

Yes, sometimes cell service can be really wild. I had an MX using cell service that was double Natting + changing the public IP randomly (about 2-3 per day). You may check with the cell provider if they have something that can do port forwarding or something similar. It would be great, but I am not sure if it is possible. 

Yes I think this is the case also.  I have done caps and yes I came to this conclusion and that's what lead me to this forum thread.  The image shared by the other forum user is very similar to what I see in the Uplink status page on Dashboard. WAN Interface has public IP and Cellular Interface has 10.x.x.x IP.  My conclusion is CGNAT is in use and likely filtering inbound traffic.

This is why I arranged to move the 4G SIM to the telstra.extranet APN.  I updated editable section for APN(is this just a tag?) to be telstra.extranet but as I mentioned earlier, is there something else that need to be done by Meraki to make the MX connect to this alternate APN ??

Cheers guys for you responses

 

Based on one of the earlier posts, it sounds like yes, there needs to be a config change by support so that it actually uses that APN in practice. 

You will have to work with your carrier to see if they have a solution to bypass the GC-NAT and let the MX obtain its own public IP. Or, if they can do manual port-forward, to send all the traffic for UDP port 500/4500 to the MX.

Looks like he will have to contact Telstra and have them add a data code to his SIM, as I found this:

You are quite welcome!