Starlink and Meraki client VPN

C_Cline
Conversationalist

Starlink and Meraki client VPN

I have recently installed a Starlink business dish at one of our sites utilizing a Meraki MX100. Everything seems to work fine when switching over to the Starlink uplink except the client VPN feature. When trying to connect, we get Server could not be reached within Secure Client. With Starlink leveraging a CGNAT, we believe this is where the failure is occurring but aren't to sure why or how to correct the problem. Tried port forwarding on the Meraki and Manual NAT-T with same results.

 

Wanted to reach out here to see if anyone has experienced this issue and had any recommendations on how to correct?

 

Thanks!

8 Replies 8
alemabrahao
Kind of a big deal
Kind of a big deal

As far as I know, Client VPN does not work with CGNAT.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

MX-Z Security Appliance

Please see the following link to configure the MX-Z for Client VPN. If the MX-Z sits behind another NAT device or firewall, please make sure that the following UDP ports are forwarded/allowed to the MX-Z:

  • UDP 500 (IKE) 
  • UDP 4500 (IPSec NAT-T)

Note: Since the MX is the device communicating from UDP 500/4500, those ports need to be forwarded on any devices upstream of the MX, not on the MX itself.

 

https://documentation.meraki.com/MX/Client_VPN/Troubleshooting_Client_VPN

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
GIdenJoe
Kind of a big deal
Kind of a big deal

alemabrahao is correct.  CGNAT will stop any incoming connections.  If you have an SD-WAN you could have the client VPN enter a different site (or even cloud site) and tunnel the client VPN subnet that way.

C_Cline
Conversationalist

Well, that's unfortunate. Thank you both for the replies. Will definitely take a look into the SD WAN option.

AlexP
Meraki Employee
Meraki Employee

To be clear here, manual NAT-T only works for the purposes of AutoVPN, and a port forward on the MX itself wouldn't resolve the issue either.

 

Realistically, if Starlink offers any way of doing a fixed inner IP or some other way of allowing for inbound traffic through the outermost layer of NAT, that might also be a solution for you.

jbright
A model citizen

On the Starlink web site for business, they state "Customers on Priority plans will also benefit from 24/7, prioritized support and a publicly routable IPv4 address" This should get you past the CGNAT problem, at an additional upfront and monthly cost.

C_Cline
Conversationalist

Yes, that's the impression I was under when I purchased it, that a static IP will be provided but that's not what their support is saying.

C_Cline_0-1700505888278.png

 

Might have to ruffle some feathers to see if I can get any traction with getting a static. The tech I got didn't seem to really understand the problem so maybe with some push we can get some better answers. We can't be the first business to run into this problem.

 

Appreciate the assist. 

Mike6116
Getting noticed

Have you tried change the ip setting in the starlink  webpage?  change it from default  to "Private IP"

 

Mike6116_0-1700610176355.png

 

Get notified when there are additional replies to this discussion.