MX Client VPN

Martin-cantwell · ‎07-14-2023

During a recent deployment, I encountered a connectivity issue when enabling the Client VPN. In Setup 1, there was a Modem in front of the MX acting as a VDSL terminator in bridge mode. Initially, I suspected this configuration to be the root cause of the problem. The client attempting to connect to the VPN would consistently experience server timeouts. To investigate further, I checked the MX logs but found no helpful information.

Curiously, I encountered a similar issue when setting up a Client VPN at site 2, where the WAN was terminated directly at the MX. However, when I decided to change the secret password, the client was able to establish a successful connection instantly. Encouraged by this result, I revisited site 1 and also changed the secret password. To my satisfaction, the client was now able to connect successfully.

Philip D'Ath · ‎07-16-2023

When the MX is behind a device doing NAT you have to add an extra registry entry to the client. I don't recall exactly what it is, but this client VPN wizard creates a powershell that includes that change:
https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

Make sure you are port forwarding udp/500, udp/4500 and udp/1701.

Martin-cantwell · ‎07-16-2023

The Modem isn't nat'ting it's in bridge mode and doesn't require any port forwards. In this context its acts as a media converter, converting the VDSL to ethernet.

Yes you would be correct if the configuration was using routing mode, Port forwards would be required