vMX100 Azure Windows VPN client issues

NordOps
Getting noticed

vMX100 Azure Windows VPN client issues

I have a vMX100 setup in Azure and have site to site VPN's successfully working.  We have a number of MX64's passing auto VPN traffic just fine.

 

The Windows VPN client just doesn't work.  I get prompted for a username and password but it is almost as if UDP 500 or UDP 4500 is being blocked on the Azure side.  I've seen a bunch of posts saying that VPN can connect but can't pass traffic but I can't even seem to get that far.  Anyone have any advice?  Does anything need to be opened on the Azure side?  I routed traffic back to the next hop for the VPN traffic, but like I said we aren't even getting that far.

 

I get prompted for a username and password but it is almost like the local authentication on the Meraki is failing. 

 

This is the error I get from a windows 10 PC.

 

07-11-2018-09-49-07.png

 

Running a packet sniffer while trying to connect I see

192.168.128.4.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E]

 

In the event logs I am seeing something like this which seems pretty odd.

msg: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY

 

If anyone has any ideas it would be greatly appreciated!

36 REPLIES 36

Adding @PhilipDAth as I know he has experience with Azure and vMX (since I don't).

Nolan Herring | nolanwifi.com
TwitterLinkedIn
PhilipDAth
Kind of a big deal
Kind of a big deal

Perhaps make it simple to begin with, and create a rule in Azure to allow all traffic to the vMX.

 

Also note that some domestic routers don't handle the VPN traffic properly.  You could try connecting via a different Internet connection (such as 4G) just to make sure.

I am having the exact same problem

 

1 - from my office - I can connect to the VPN - all good happy days!

 

2 - from the client office, different network I get the same issue you're experiencing now. - Im non the wiser currently as to  why this is happening either.

 

 

 

NordOps
Getting noticed

Progress, I can now connect!  I can also connect locally to hosts on the Azure environment, but my internet is not working. A trace reveals second hop to be a public IP but can't get past it.

 

I think I read something about Azure not allowing outbound internet traffic from VPN clients, so I'll manually add routes to bypass the default behavior of full tunnel and see if that works...will update after testing is complete.

 

How did you get your VPN client to connect? Mine won't even connect to the vMX100. As for your internet issue, you have to use a split tunnel.

I'm now in the same boat as you. I just deployed a vMX-M and I can't hit the outside interface to make a VPN connection. I'm on hold with Cisco, but I've deployed at least 5 of these and haven't had this issue.

Hey, Good stuff!

 

I created a PowerShell script to: 1] enable the Split Tunnel and  2] add the Reg Key entry.

 

I then deploy the PowerShell script via our RMM toold whcih allows us to run it as administraotr on the end users machines.

 

Good to hear all working though! and yes agree, a vpn client would be ideal 🙂

Can you please share the PS script?

This has worked pretty well for us, maybe someone will jump in and offer more options.  You need to use your server address for public IP, connection name VPN whatever you want, the pre-shared key from the MX setup and the local network is the destination.  I am not sure why more people haven't shared, maybe they're holding out for Meraki to make an SSL VPN client or something more simple to deploy.  If anyone has any good group policy deployment guides with powerhsell scripts specific to the Meraki VPN and would share that would be great....

 

You need to copy and paste this as admin in poweshell after you've adjusted for your own network

 

Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent AssumeUDPEncapsulationContextOnSendRule -Type DWord -Value 2 -Force
$ServerAddress = "x.x.x.x"
$ConnectionName = "VPN"
$PresharedKey = "presharedkey"
$Destination = "192.168.128.0/24"
Add-VpnConnection -Name "$ConnectionName" -ServerAddress "$ServerAddress" -TunnelType L2tp -L2tpPsk "$PresharedKey" -AuthenticationMethod Pap -Force
Set-VpnConnection -Name $ConnectionName -SplitTunneling $True
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination

Split Tunnel is not a Fix but  a Band aid that bypasses the Firewall and breaks DNS for any Azure internal resources.

Does any one have a real fix to allow the VPN to pass traffic out to the Internet?

I even opened a case with Meraki and they also did not know how to resolve this issue.

It shouldn't break DNS if you have configured the split DNS part in the VPN connection.

 

There is nothing that Meraki can do about it.  To the best of my knwoledge, Azure does not allow subnets outside of Azure to use Azure to provide Internet access.

HOW do I do this Split DNS?

That kind of makes sense, honestly I don't want them to pull internetTraffic via the VPN anyway I just want any traffic destined for the Azure VNET to route to the VPN, but I also need DNS to be internal or when they hit a server name they will get the external IP address.

I did find a document on AWS that states Full Tunnel Does not have Route  not supported.

 

OK thank you for your response, I will go the Split tunnel Option HOW do I do this Split DNS thingy?

Keeping in mind I have to install this option on 60 computers!

I already have a GPO that runs a startup script, Add-VpnConnectio power shell script that works great. Just need to tweek that script for Split tunnel and DNS which I don't know how to do yet.

 

>HOW do I do this Split DNS?

 

When you use powershell to create the config and configure the domain it should split the DNS.

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

 

This is a long Microsoft guide on how to do just split DNS:

https://docs.microsoft.com/en-us/windows-server/networking/dns/deploy/split-brain-dns-deployment

This is a shorter guide:

https://serverfault.com/questions/925901/windows-10-always-on-vpn-split-dns-nrpt-and-how-to-configur...

Ok the Split Tunnel is working I have internet and can ping Azure resources.

how to add custom DNS now?

Just a though - why not put a DNS server in Azure and assign it dynamically under "Custom nameservers" instead of trying to distribute DNS via powershell? 

 

Alternatively you could just use an existing internal DNS server and dynamically assign it as long as your client can get from the Meraki back to that internal DNS server that already exists.  That should work assuming you have an MX or something in-front of the non-cloud internal DNS server onsite and it's reachable over VPN.  The first option is probably better because it wouldn't require that link to be up but I think either would work.

I have a DNS domain controller in Azure, I just need anything.mydomain to resolve to Azure internal IP's now.

how to do this Custom DNS

Can you specify on the vMX100?

 

Security & SD-WAN > Client VPN > "Custom nameservers" and enter IP of local DNS server?

PhilipDAth
Kind of a big deal
Kind of a big deal

@NordOps is right - you don't need to split DNS in this case.  Just give out your Azure AD controllers.

one of the first things I did While connected to the vpn if I look up a server name and append with the IP for dns it finds the correct server.

If I just do nslookup it searches my Local dns and presents the public IP of the server.

I am experimenting with this command but so far not working:

 

Set-VpnConnectionTriggerDnsConfiguration -ConnectionName "$ConnectionName" -DnsSuffix "mydomain.com" -DnsIPAddress "10.0.0.4" -PassThru -Force

"mydomain.com" should be your internal AD domain name.

Correct I mearly changed due to this being all public and all.

I am close, the split is working, but what will happen is DynamicNAV clients will fail due to the server name not going to internal IP address.

I know I can play some silly game and change public DNS to reflect internal IP address but that's too messy.

want to do this the right way.

 

making progress just need dynamicnav.mydomain.com to query my domain controller 10.0.0.4 and not public dns.

OR somehow Force all DNS queries to hit the Azure DC that would work too.

 

so the Custom Name Server is working if I do not split Tunnel all works except I just have no internet.  so I want to split tunnel so users can do NAV and also internet.

the problem with split is DNS defaults to my local DC and not Azure DC.

 

Follow @NordOps example, and configure the MX to give out the DNS servers of your Azure AD controllers.

 

Security & SD-WAN > Client VPN > "Custom nameservers" and enter IP of Azure AD controllers

@PhilipDAth that's what's worked for me in the past.  Just let the vMX100 assign it vs. the poweshell script. 

 

all that works just how you would expect.

Till I enable split tunnel then internal dns is ignored.

 

IF I don't use split tunnel every thing works as expected, just you don't have any internet other than Azure resources.

 

Are you using Azure Server DNS or back to your onsite DNS server?  The internal Azure DNS should just work. If it isn't can you ping that address?  If you can ping it then you might be looking at the issue I had originally with the regedit.  If you can't ping it maybe it's the Azure routing tables.

 

If you're using your onsite DNS server you need to also allow that local traffic back to the meraki when you're split tunneling.  On powershelll I think you'd need to add another destination.  In this scenario lets just say 192.168.128.0/24 is Azure and 192.168.100.0/24 is your old network with your onsite DNS server.   You'd need to route both private networks back to the vMX100.  Hope that makes sense.

 

$Destination = "192.168.128.0/24"
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination

$Destination = "192.168.100.0/24"
Add-Vpnconnectionroute -Connectionname $ConnectionName -DestinationPrefix $Destination

OK that's close, I Don't want to use Onsite dns server I want to use split tunnel for force all DNS to Azure domain controller so those server names will resolve correctly.

 

the problem with the split tunnel is it keeps hitting my onsite dns and returning Public IPs for my Internal Azure vm's.

So maybe some how change my DNS on client PS to only use Azure DNS server during the Vpn session.

I think this would solve everything.

 

It's a better design to use Azure DNS anyways because of cloud availability vs. relying on and old server onsite so that makes sense.

 

If you remove the DNS from powershell, the windows PC should just follow normal networking rules and grab the DNS from whatever you specify on the vMX100. 

 

There must be something up with your powershell script if it keeps assigning the onsite DNS server or maybe you have it defined and or hard-coded on the NIC?  The vMX100 should be assigning the onsite one, maybe try setting up the VPN client manually instead of using powershell as a test and see if you get different behavior. 

If I just use normal VPN no power shell Everything works fine for Azure but no internet.

If I configure split tunnel I have internet and can PING ip's in Azure but cannot do any name resolution because it uses local DNS and gets public IP not Azure internal.

so the split tunnel does not know where to look when I query mydomain.com defaults to Local dns.

So only way for this to work is split tunnel but I need to figure out how to make all DNS queries hit the DC in Azure and not locally.

so picture I have a user in airport some where he jumps on VPN, then Nothing works DNS because he is using some airport dns server.

Need to force dns to use whats on the VPN during split tunnel mode.

is that even possible?

I just wanted to say thank you for replying back to me and getting me to keep looking at the problem. I did not really find an answer but, My script runs under the user profile in GPO and adds the VPN in split tunnel mode.

then only modification I need to do is set the metric for ipv4 in the vpn to 1 and all the dns traverses the tunnel.

and end user still has internet via the split.

with all that said, Meraki Tells me my original configuration should work should not need split tunnel can use Gateway on remote device, but no one can tell me this configuration.

so I am up and running but still want to explore the full tunnel via the vMX if that is even possible.

thank you again.

 

 

You're right about Azure, based on what I've seen they currently don't want you sending the internet traffic back over the link so it doesn't NAT outbound for remote traffic.  They might have allowed it in the early days with the vMX when there was more than one interface but it doesn't look like an option now.

Reinout
Here to help

Everything worked on the Windows 10 version 1803. We used split tunnel for accessing the internet. However now we are facing issues since some of the clients are updated to 1809 and 1903. 

 

Now we can not connect to the client VPN anymore when we use Windows version 1809 or higher...

 

We sure added the correct registry keys and also use the same settings as we did on the 1803 versions of windows. Anyone else having the same troubles?

 

Regards,

 

Reinout. 

I have since changed my method and went with the CMAK Route creating a custom exe to install the vpn.  I use GPO to add registry keys to all desktops. and post URL for users to download install the CMAK vpn installer.  I also stopped using the vMX in azure due to the full tunnel limitation and have users vpn to Main Site, then I route traffic from there to all other sites including Azure via a Route table.

CMAK was my final solution and full Tunnel cleared up all my routing issues.  we also use Radius for Authentication.

No issues with 1809 have not tried 1903 but will setup test box to verify.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Now we can not connect to the client VPN anymore when we use Windows version 1809 or higher...

 

I've seen this issue.  It you try and connect from the system tray in the bottom right hand corner the VPN fails to complete connecting - BUT - if you go:

Start/Settings/VPN/VPN

Click on the VPN connection and then connect from there it works.

 

I think there is a bug in the Windows 10 GUI.

Thank you PhilipDAth!

 

That solved it. You saved me from a downgrade of many computers!

 

Also, once you opened the VPN via the methode you described (Start/Settings/VPN/VPN) you can open the vpn via the system tray again!

 

Regards,


Reinout

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels