Meraki Community

Patrik73 · ‎Mar 10 2022

I have an MX64W and an cellular gateway MG21 connected to wan-port.
The SIM-card in the MG21 has a public IP (not a NAT-IP).
I try to activate user VPN but has no luck making it work.
The MX64 has an address from the MG21 (172.31.128.4).
I have setup av port forward on the MG21
UDP 500, UDP 4500 and TCP 1701 from MG to 172.31.128.4.
Allowed remote IP: all
But still no luck.
I am not even sure that this is going to work.
Can someone who has made this work pls tell me what I am doing wrong?

ww · ‎Mar 10 2022

Make a packet capture on the mg wan interface. Then try connect to the client vpn. Look in the capture is you see connections from that client public ip.

If you dont see them maybe the provider filter traffic from that ports

Patrik73 · ‎Mar 10 2022

Yes, I see connections from my computers public IP to the cellular public IP.

Something is happening but not sure what.

User Datagram Protocol, Src Port: 1011, Dst Port: 500

User Datagram Protocol, Src Port: 500, Dst Port: 1011

User Datagram Protocol, Src Port: 64916, Dst Port: 4500

User Datagram Protocol, Src Port: 4500, Dst Port: 64916

Among others.

KarstenI · ‎Mar 10 2022

What you see here is "normal" IKE exchange when there is NAT involved. That looks ok. Any event-logs for client-VPN?

KarstenI · ‎Mar 10 2022

Do you see something similar when you capture on the MX WAN interface? It really has to, but better confirm.

Patrik73 · ‎Mar 10 2022

Yes, I see pretty much the same.

User Datagram Protocol, Src Port: 500, Dst Port: 1011

User Datagram Protocol, Src Port: 64916, Dst Port: 4500

ww · ‎Mar 10 2022

So you have to look at the mx event log. It should have some logging about the connection

Patrik73 · ‎Mar 10 2022

Yes I have.
For example

msg: <l2tp-over-ipsec-1|10> closing CHILD_SA net-1{31} with SPIs c46d0b0c(inbound) (0 bytes) 2101bf06(outbound) (0 bytes) and TS 172.31.128.4/32[udp/l2f] === [my-public-ip][udp/l2f]

Patrik73 · ‎Mar 10 2022

Delete

Patrik73 · ‎Mar 10 2022

The log shows this.

Mar 10 21:49:02 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> deleting IKE_SA l2tp-over-ipsec-1[21] between 172.31.128.4[172.31.128.4]...[MY PUBLIC IP][10.10.51.102]

Mar 10 21:49:02 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> closing CHILD_SA net-1{34} with SPIs c1448fd5(inbound) (0 bytes) 8a532e80(outbound) (0 bytes) and TS 172.31.128.4/32[udp/l2f] === [MY PUBLIC IP]/32[udp/l2f]

Mar 10 21:49:02 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> CHILD_SA net-1{34} established with SPIs c1448fd5(inbound) 8a532e80(outbound) and TS 172.31.128.4/32[udp/l2f] === [MY PUBLIC IP]/32[udp/l2f]

Mar 10 21:49:02 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> closing CHILD_SA net-1{33} with SPIs cec31204(inbound) (0 bytes) 5603a7d6(outbound) (0 bytes) and TS 172.31.128.4/32[udp/l2f] === [MY PUBLIC IP]/32[udp/l2f]

Mar 10 21:48:59 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> closing CHILD_SA net-1{32} with SPIs c09a18d5(inbound) (0 bytes) 0b50d3b8(outbound) (0 bytes) and TS 172.31.128.4/32[udp/l2f] === [MY PUBLIC IP]/32[udp/l2f]

Mar 10 21:48:59 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> CHILD_SA net-1{33} established with SPIs cec31204(inbound) 5603a7d6(outbound) and TS 172.31.128.4/32[udp/l2f] === [MY PUBLIC IP]/32[udp/l2f]

Mar 10 21:48:59 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> CHILD_SA net-1{32} established with SPIs c09a18d5(inbound) 0b50d3b8(outbound) and TS 172.31.128.4/32[udp/l2f] === [MY PUBLIC IP]/32[udp/l2f]

Mar 10 21:48:59 Non-Meraki / Client VPN negotiation msg: <l2tp-over-ipsec-1|21> IKE_SA l2tp-over-ipsec-1[21] established between 172.31.128.4[172.31.128.4]...[MY PUBLIC IP][10.10.51.102]

Patrik73 · ‎Mar 10 2022

Looks like it is working now.

I found something about AssumeUDPEncapsulationContextOnSendRule

Put it in the registry with value 3, rebooted and tried again.

Voila, it works 🙂

Thank you for your help in troublshooting.

i learned alot actually.

KarstenI · ‎Mar 10 2022

Another Test: Is the public IP that the MG reports the same as the IP on the MG interface? Just because there is a public IP on the interface does not automatically say that there is no NAT at the provider involved.

Patrik73 · ‎Mar 10 2022

Yes, the SIM-card was getting a NAT-address at first.

I contacted the provider and they changed it.

From an 10.x.x.x address to an 37.3.x.x address.

I have another SIM-card with same setup from same provider in a ASUS 4G-router, and that works fine.

Meraki Community

MG21 and User VPN

MG21 and User VPN