Solved: Re: VPN not connecting - Page 2

ErnstTFD · ‎09-22-2022

Hello,

I enabled Client VPN, configured a pre-shared key. I chose Meraki Cloud authentication and configured a new user with VPN authentication.

When I try to connect to the VPN form a remote system I get this error:

"The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer"

I copy/pasted the pre-shared key, the username and the password, so there cannot be a typing error.

I created and deleted the VPN connection three times. Every time I get the same error.

Any ideas what I might be doing wrong?

ErnstTFD · ‎09-22-2022

For a quick test I can allow that. However it is time for me to go home now and I will only be back in the office tomorrow morning. Can we take this up again tomorrow? I will send a reply when I am back in the office tomorrow.

(Thank you very much for your assistance so far, it is very much appreciated).

aleabrahao · ‎09-22-2022

Yes, sure. 🙂

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ErnstTFD · ‎09-22-2022

Hello, I'm back at the office. We can setup a test whenever you are ready.

aleabrahao · ‎09-23-2022

Hi @ErnstTFD ,

Sorry about delay, I'm in a different time zone. We can perform a test now.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

GreenMan · ‎09-22-2022

Did you follow the configuration guide? In my experience, doing it just using Windows wizards etc. never works - you need to follow the step-by-step guide carefully for your version of OS: https://documentation.meraki.com/MX/Client_VPN/Client_VPN_Overview

Check out the Network-wide > Event log for details of what the MX is seeing too.

You can, of course, also ask for assistance from Meraki Support.

ErnstTFD · ‎09-22-2022

I followed the configuration guide yes.

I also checked the event log, but nothing shows up here.

JohnnyFernandez3317 · ‎09-22-2022

Have you checked the events on the Meraki dashboard regarding Client VPN

Usually I have configured windows machines generating the power shell config with this script and avoid human errors:

https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

Regards!

Johnny Fernandez
Network & Security Engineer
CCNP | JNCIP-SEC | CMNA

ErnstTFD · ‎09-22-2022

Hi, I used this script tool to create a VPN Profile. The result is the same when I try to connect the VPN. Thanks for the advice though, the script tool is handy.

Question: If I run the script by clicking on it an select "Run script" it fails. I opened the script in ISE and tried to run it and got an error "Unable to remove existing instance(s) of TFD Meraki profile: Access denied"

I then re-opened ISE in administrator mode and then the script executed fine.

Is there a way to run the script as an administrator without opening ISE?

ErnstTFD · ‎09-26-2022

Update! I have worked with my ISP to ensure that all traffic is forwarded to my Meraki. I've also added two rules to my Firewall (L3) to allow all traffic on ports 500 and 4500.

When I do a packet capture on the internet interface, I get a lot of traffic on port 4500 and some traffic on port 500.

However when I do a packet capture on the "Client VPN" interface, then no data is captured or recorded in the pcap file.

It seems that the connection request does not reach the Client VPN interface. Do you have any suggestions where I can look to check the traffic is allowed to reach the Clinet VPN?

Also I get a different error no that before: "The connection was terminated by the remote computer before it could be completed" When I look in the Windows event log I get error code: 628.

aleabrahao · ‎09-26-2022

What version are you running? In my opinion, It is a bug or the issue is before MX.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ErnstTFD · ‎09-26-2022

Firmware

Up to date

Current version: MX 16.16

It says up to date.

aleabrahao · ‎09-26-2022

I've tested the VPN client on all my clients running the same version, and it worked without any issues. That's why I believe it is something before the MX.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ErnstTFD · ‎09-26-2022

My Meraki sits behind a Mikrotik Router that is managed by the ISP. Accoring to the, all incoming traffic to the Public IP is being forwarded to the Meraki. They sent me their Firewall rules to look at. I'm not an expert in Mikrotik friewalls but it seems in order to me.

This is what they have sent:

0 chain=srcnat action=masquerade src-address=!41.138.70.12/30 out-interface=Client_Details log=no log-prefix=""

1 chain=dstnat action=dst-nat to-addresses=192.168.0.91 protocol=tcp dst-address=41.76.33.18 dst-port=!8291,2000,8728 log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=192.168.0.91 protocol=udp dst-address=41.76.33.18 dst-port=!8291,2000,8728 log=no log-prefix=""

3 chain=dstnat action=dst-nat to-addresses=192.168.0.91 protocol=gre log=no log-prefix=""

4 chain=srcnat action=masquerade dst-address=192.168.0.91 log=no log-prefix=""

aleabrahao · ‎09-26-2022

Are they using CG-Nat ?

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ErnstTFD · ‎09-26-2022

Not sure, I will inquire and give you feedback when I get it.