Client VPN Meraki - Install and Troubleshot

Posted by Singkong Squad on

Rabu, 20 November 2024

 Hello guys, in this section i will share my experience when configuring client VPN on meraki

by the way in this section i install client vpn on MX-64W

i already install this client on 2 scenario :

1. MX-64W have ip public

2. MX-64W Behind NAT Devices

So lets start to configure client vpn on meraki, this configuration on meraki is used on 2 scenarios above

Navigate to Security & SD-WAN > Client VPN

Client VPN Server : Enabled

Hostname : This is the same hostname on the appliance status

Subnet      : This is subnet that will be used by the user connected to vpn, make sure this subnet not on the network

DNS Server : Use DNS Server as you wish, in this scenario i use google public DNS

Shared Secret : this is used to match beetween client and server, you are free to fullfil this secret with senteces or number

Authentication : You can choose Meraki Cloud, Radius, Active Directory

Meraki Cloud Authentication : Use Database User on Meraki Dashboard, locate in below Authentication

Radius : Use Radius Server, you must add radius server below Authentication menu

Active Directory : Use AD, you must add Active Directory below Authentication menu

So Configuration Above is in Meraki Dashboard

So Next step is we configure on remote client, in my scenario i use windows 10

Navigate to windows tab and search VPN Setting

after that click Add VPN Connection

VPN Provider : Windows 

Connection Name : this is name for this connection

Server Name : this is hostname on the meraki dashboard that we configure earlier

VPN Type :  you must choose L2TP/IPSec  with pre-shared key to use client vpn meraki

Pre-Shared Key : Use shared secret that we configure earlier on Meraki Dashboard

Save

After that go to Network Connections

Press windows + R and type ncpa.cpl

Right click on connection name that we configure above and clik propeties

Go to Security and match with image below and OK

Test Connection

if you use scenario 1, this will directly connected

if you encounter this error " The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer." there are several possibilities:

1. There is block from remote client

2. Hostname not reachable from remote client, you can makesure to ping hostname from cmd

3. You use scenario 2 where Meraki is behind nat devices, you need to configure port forwarding on your router that have ip public, make port udp 500 and 4500 to translate to ip meraki

here is example point 3

my uplink meraki have ip 192.168.100.2 and get wan ip 4.4.4.4

so you need to configure port forwarding on router, here is example my configuration from router mikrotik

1    chain=dstnat action=dst-nat to-addresses=192.168.100.2 to-ports=500 

      protocol=udp dst-address=4.4.4.4 dst-port=500 log=no log-prefix="" 

 2    chain=dstnat action=dst-nat to-addresses=192.168.100.2 to-ports=4500 

      protocol=udp dst-address=4.4.4.4 dst-port=4500 log=no 

      log-prefix="" 

if you already configure that on router you will get other error while try connected to vpn

"The network connection beetween your computer and the VPN server could not established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) beetween your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem."

this error occur on windows 10, you need to add configuration on windows 10, to add variable to registry editor via Powershell with administrator privilege and after you insert that command, you need to reboot client windows 10

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f

just info, this client vpn configuration is used full tunnel that means you internet gateway is vpn, if you want to make split tunnel on client vpn meraki you need to manually route network on your meraki to vpn, i already have script bat that can help you guys to connect vpn and make that to split tunnel

# Define variables

$vpnName = "MerakiVPN"  # Name of the VPN connection

$serverAddress = "4.4.4.4"  # VPN server address

$vpnKey = "12345678"  # Pre-shared key for the VPN

$destinationSubnets = @(

    "10.1.1.0/24",

    "172.16.10.0/24",

    "172.16.20.0/24",

    "172.16.30.0/24",

    "172.16.40.0/24"

)  # Subnets to route through VPN

you guys just need to modify this variable on file.ps1

vpnName : for connection VPN name

serverAddress : fill this with hostname meraki

vpnKey : fill this with your shared secret vpn

destinationSubnet : this is subnet for your meraki network

you can download script in here

after that you can try to connect again

thats all from me, if you guys found issue, you can ask to the comment

Thanks Guys

See you

Labels: Cisco, Jaringan, Meraki, Troubleshoot

Thanks for reading Client VPN Meraki - Install and Troubleshot. Please share...!