I’m admin of multiple organizations and I use client VPN to dial in to my client’s networks to do maintenance work. I realized that on my work laptop with Windows 10 1909 (18363.270) I can’t establish a VPN connection to any of my clients security appliances.
Here’s how I set up a VPN connection:
I take the public IP of WAN1
choose L2TP/IPsec with PSK
copy-paste the PSK from the dashboard and use my
username and password combination for authentication. Furthermore, I
allow “unencrypted password (PAP)” and “Microsoft CHAP Version 2 (MS-CHAP v2)” in the network adapter settings.
So far so good, but for some reason it doesn’t work on my company laptop. I tried setting the VPN profiles up on my private Windows 10 laptop (same build) and I encountered no issues.
Also: I tried connecting by wire, wirelessly and on a metered connection using tethering with my mobile phone. My network settings are always on DHCP, the public IP is pingable.
I also tried to set the registry key AssumeUDPEncapsulationContextOnSendRule which in the past worked when the client VPN couldn’t connect.
I receive the following error in the network settings of Windows 10: “The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.”
I kind of ran out of things to try out. What should I do? I’d be very grateful for a suggestion on how to solve this. Can anyone point me to the right direction? Thanks
Edit: Ok I found where the issue was. For some reason the service “IKE and AuthIP IPsec Keying Modules” was disabled. Changed the startup type of the service to “Automatic” and did a reboot. Now everything’s back to normal.
Make sure you’re not copy pasting in the dynamic-m.com hostname or IP WAN1
Type everything in manually especially the PSK *or copy paste into notepad first
Username and Password leave blank but select it as auth type or whichever is relevant
Require: Remove Microsoft CHAP Version 2 (MS-CHAP v2) and keep on PAP
Are you clicking Connect with the VPN connection entry through the Wifi connection in system tray or are you going through VPN in Windows 10 settings? Don’t Connect through the wifi system tray.
Other thing you can dick around with is find rasphone.pbk and shortcut it to the desktop and try to Connect that way.
There are so many other retarded rain dance methods or workaround that we’re all clearly quite sick of it. You may have to just accept it, you can try re-imaging your Win10.
Someone mentioned used Draytek VPN client, i never tried that myself.
Edit: also you probably seen reports of complicated PSKs with symbols in it being the problem, keep the PSK simple with numbers or letters
Guys, for heaven’s sake, why don’t you just stick to CMAK, install the role, go figure out the installer to the end, protect it with a PIN and end users will self-deploy it in minutes…
Notes:
Guess ur using RADIUS/NPS to authenticate?
Don’t connect via the wifi in systray, totally f*up, doesn’t work
Leave PAP only
DO use HOSTNAME, makes it easier down the road if u change the IP
Think of the mass-deployment and if an update tits-up the VPN client or u make changes down the road… With CMAK u just provide it to end users, they click through and ur done with it…
U can mass-redeploy as many times and as often, and u keep it simple to urself and them (which is more important as they don’t nag u too much :D)
Tell them to setup a shortcut for VPN to Star menu, makes their (and yours) life easier a LOT
Bang-up a short how-to so they don’t call you over and over again just tell them RTFM
Client VPN not working, ohhh sweet JFC
a) restart ur damn lpt
b) have u changed ur freakin’ password
c) tell them to remove & reinstall the VPN Client, remeber, using CMAK they do it on their own
Pull the AD report on User Pass expiry and have it at hand, so when they call u can quickly cross-check
Last but not LEAST, do make sure ur INFRA is setup correctly and works flawlessly…
Wham-Bam Thank u Mam
Spend the extra time u get after deploying this in reading something useful and enjoying that well deserved Coffee
Got dozens happily clicking for months and getting a call only when their pass expires or I restart NPS
One thing you can try (that I haven’t seen mentioned here yet) for Windows 10 PCs is to uninstall all WAN Miniports in the Device Manager. Then restart the machine, which reinstall those same WAN miniports.
Not a fix for all Windows 10 machines but sometimes you get lucky.
I got so sick of the Windows/Meraki client VPN stuff that I moved away from it completely and now I’m deploying OpenVPN over pfSense.
It’s amazingly simple to configure, the clients are super simple to install and I rarely need to help users get themselves set up. Usually only the ones who refuse to read and follow the very clear step-by-step instructions I provided to them.
I have a fairly equal mix of Windows and Mac users, and once set up not a single user has had a problem since.
I realise this doesn’t solve your specific problem with the equipment you have, but perhaps this comment might be remembered in the future when someone has to set something up fresh.
The Meraki Client VPN is very fussy. It has to be perfect or else it just won’t connect.
If you delete and start from scratch and follow this like a complete noob. then it will likely work for you. Like many, I’ve wrestled with enough VPN’s to think I know what I’m doing, and what steps matter and which aren’t important. What I’ve learnt with the Meraki VPN is that it is so fussy that if you haven’t followed the instructions perfectly - it’s going to fail. Second guessing it will end in failure…
Don’t use the WAN IP - use the generated hostname from the Meraki dashboard.
You wouldn’t think it makes a difference - but I think that the logon request contains the hostname / WAN IP you’re asking to log on to. And that log on process isn’t local to the MX device - it’s handled by the Meraki Cloud - and the hostname will allow it to properly look up your MX device and the allowed client dial in’s. Doing it by IP should work - but I’m not always sure that when authenticating against the Meraki Cloud, that the Meraki Cloud can match up the destination IP address & your authentication request against your MX configuration. Counter intuitively I think it’s an extra lookup when dialing in by IP address.
(this is a guess BTW)
If that still doesn’t work - then pastebin the recent output from “Network-wide” → “Event Log” from the dashboard (sanitising for anything confidential) and then post the link to the pastebin here
We have run into a few issues with isp this week. One case a cable modem just needed to be reset. Another she has to open a support case with the isp. Laptop could connect from a phone tether but not from her home network. Can ping the public ip. Can’t handshake and make the connection.
Not copy/pasting the Meraki DDNS sounds so painful. I can’t understand the logic. Pro tip just make a CNAME that points to it so that you have vpn.companyx.com pointing to whatever Meraki gives you.
Suggesting that PSK be typed in manually means you’re definitely using a bad PSK. 26 characters is minimum for PCI compliance.
Rest of this is sage advice tho. Respect to my man in the trenches right now salute.