Meraki client VPN with RADIUS auth over site-to-site VPN

Groucho711
New here

Meraki client VPN with RADIUS auth over site-to-site VPN

I am trying to setup Meraki client VPN on one of our MX's for a site in London. This was setup and working before but that was when we had a P2P connection back to our Colo. When the P2P was in place I just used the IP on the MX for that P2P connection and everything worked great! But the office moved and we did not order a new P2P due to the small amount of traffic going across that connection. We replaced it with a site to site VPN to our Colo and the VPN works great. But trying to get the RADIUS authentication working with this setup is proving difficult. I have read that the IP address of the  highest numbered VLAN should be used on the RADIUS client configuration. With that in mind I am using the IP address for VLAN 999 on the NPS server RADIUS client entry for this MX. When I setup the VPN on a Windows 10 PC, I get prompted for user/pass, but when I enter that information and press enter, I get an error shortly after stating "The connection was terminated by the remote computer before it could be completed". From the MX, I am able to ping the RADIUS server over VLAN 999. I can also ping VLAN 999 on the MX from the RADIUS server. Doing a packet capture during testing on the MX, I can see the traffic from my PC hitting the MX, but I don't see any traffic from the MX reaching out to the RADIUS server. Also looking at the logs on the RADIUS server I don't see any authentication attempt for that Client VPN from the MX. I am sure it is a simple step I am overlooking that is missing to get this to work as expected, but so far I am not figuring it out.

 

7 REPLIES 7
ww
Kind of a big deal
Kind of a big deal

Is vlan999 selected to be in vpn?

Yes, VLAN 999 is in VPN.

Groucho711
New here

Additional update - for a test I decided to use Meraki Authentication and that resulted in the same error on the client side. But I was able to see these events in the Meraki Event Log:

 

Mar 23 20:18:47 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|47053> deleting IKE_SA l2tp-over-ipsec-1[47053] between MX Pub IP[MX Pub IP]...Home Pub IP[Home Priv IP]
Mar 23 20:18:47 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|47053> closing CHILD_SA net-1{52} with SPIs cc16b166(inbound) (801 bytes) 89788838(outbound) (919 bytes) and TS MX Pub IP/32[udp/l2f] === Home Pub IP/32[udp/l2f]
Mar 23 20:18:28 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|47053> CHILD_SA net-1{52} established with SPIs cc16b166(inbound) 89788838(outbound) and TS MX Pub IP/32[udp/l2f] === Home Pub IP/32[udp/l2f]
Mar 23 20:18:27 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|47053> IKE_SA l2tp-over-ipsec-1[47053] established between MX Pub IP[MX Pub IP]...Home Pub IP[Home Priv IP]

Also I am running version MX 15.42. I am wondering if this could be an issue with the 15.x firmware version. I know it worked when I was on the 14.x firmware. But I needed to upgrade to 15 so I could have IKEv2 for a VPN configuration.

Bruce
Kind of a big deal

Are you able to see what errors you are getting on the client? Maybe this is something more to do with the negotiation between the client and MX for the encryption parameters failing?

 

 

I ended up going into the adapter settings for the VPN connection, under the security tab, selecting the radio button "Allow these protocols", and finally checking PAP. That change allow the VPN to connect using the Meraki Authentication. Once I changed it over to RADIUS I am getting IAS_AUTH_FAILURE on the RADIUS server. So at least I know it is talking to the RADIUS server now. Just need to figure out why the RADIUS authentication is failing.

Did you ever figure this out? 

 

You wouldn't happen to have a site-site VPN connected as well would you?  I am running into the exact same issue that you have.  However, I have a site-site VPN connected, and found that when I disable VPN availability for all the VLANs I configured it for I'm able to make the client VPN connection.  Same goes for when I just take the site-site VPN down.  I'm probably going to have to call support to help figure out why this is the case.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels