![]() UPDATE: I've done some additional testing here. Here's hoping one of you can smack some sense into me and show me where I fudged up! Meraki gurus: what the heck am I missing, here? Inside, outside, farside, nearside, none of my devices can establish a Client VPN tunnel with my MX firewalls! I'm sorely tempted to fire up a Windows box with the VPN role installed there instead, though I'd much rather avoid building the necessary routes for such a thing and instead use what Meraki gives me on their Firewalls. Google Fu turned up nothing specific to Site-to-Site VPN and Client VPN interfering with each other, and for what it's worth, I also didn't have these issues configuring SonicWALLs in a previous job, so I'd be very surprised if activating one somehow blocked the other, especially with no warning from the interface or documentation. Unfortunately, the only thing I can find is that their Client VPN is configured on a MX device with no site-to-site VPN configuration whatsoever, a luxury I don't have being a secondary site. The benefit of the entire company using Meraki is that I can check their configurations to see what I might be missing. This behavior is repeated with the Windows laptop on the guest VLAN (with no routes to internal resources, thus forcing it to exit the network and then hit the public IP). Not much use there, though the iOS device fails the tunnel pretty instantly as a result. This behavior was exhibited by an iOS 10 device on T-Mobile's network (which uses IPv6 with what appears to be IPv4 NAT, near as I can tell).įrom the same iOS device internally, it sends repeated Identity protection packets to the MX, while the MX responds with "Destination unreachable (Port unreachable) messages. Packet Capture for iOS clients shows ISAKMP happening between the Meraki MX devices and the iOS device, including six Identity Protection packets, followed by a repeating loop of "Quick Mode" requests from the iOS device, and "Informational" responses from the Meraki, before a final "Informational" packet is sent by the iOS device to the Meraki at the thirty second timeout. Even Meraki's documentation on error 789 specifically did not help me resolve the issues. I've tried both internal (using the MX's internal IPs) as well as the external IPs (both public IPs, as well as the shared virtual IP) with no success whatsoever. Windows reports error 789 in Event Viewer, and iOS won't connect either. The problem is that no matter what I do, I cannot get any device to connect to it and start a tunnel session. With the old infrastructure given the heave-ho here, and Meraki running everything but the phones, cameras, and MDM, I've been tasked by HQ with setting up the Client VPN. All routes are connected and functioning beautifully. Site-to-Site VPN for my site is a spoke with the main Data Center being our Hub (we're a continental HQ, not the main HQ), and two non-Meraki peers: US Data Center, and Main HQ ASA. ISP Edge 02 -> MX84 02/Internet 1 -> Meraki Switches ISP Edge 01 -> MX84 01/Internet 1 -> Meraki Switches Alright, I've been tearing my hair out for the better part of a week here, struggling to get Client VPN functioning in my environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |