Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX64 Client VPN Setup

Solved
Seth_B
New here
‎May 28 2024 8:56 AM
‎May 28 2024 8:56 AM

MX64 Client VPN Setup

Hello there,

At our office, we have a Cisco Meraki MX64 and we've been trying to setup a VPN server to allow remote workers to connect to the MX64 and be able to access devices on the local network. I've set up a Wireguard VPN server on the MX64 and am able to make a successful VPN connection to the firewall from a remote network, but the firewall is only routing the traffic back out to the internet and never into the local network.

I've tried looking into how to setup different firewall rules and VPN settings to allow access to the local network, but nothing has been working. I am wondering if there is something specific I should be configuring on the device, or if I misunderstood what a client VPN was used for and should use something else like the site-to-site VPN.

Thanks in advance for any responses.

0 Kudos
Subscribe
1 Accepted Solution
In response to Seth_B
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 10:44 AM
‎May 28 2024 10:44 AM

Go to Security & SD-WAN > Configure > Site-to-site VPN and enable Client VPN in VPN mode.

 

alemabrahao_0-1716918201874.png

This way you will receive the routes for your Local network. But remember that you must enable VPN mode for your local networks if it is not enabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

View solution in original post

0 Kudos
Subscribe
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 9:11 AM
‎May 28 2024 9:11 AM

Your problem is actually routing, you need to have a route to the networks behind the MX in your wireguard pointing to the MX as the next hop and in the MX you must create a return route.

It would be of great help if you had a topology of your network.

Another question, why don't you use Meraki VPN instead of Wireguard?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
In response to alemabrahao
Seth_B
New here
‎May 28 2024 9:26 AM
‎May 28 2024 9:26 AM

Hello,

I just wanted to start off by saying thanks for responding to my post so swiftly.

 

I have one question on where I am confused, and it's on the difference between Meraki VPN and Wireguard. In the Meraki Portal, I am able to go to a section titled "Client VPN" and setup a server on the Cisco Meraki where I use Wireguard to connect to the firewall.

If there is another option called "Meraki VPN" that would allow remote users to connect to the firewall to be able to access local network resources, I am for it. But I am just curious as to what is "Meraki VPN" and if that is what I am using or not. If not, where would I go to configure the Meraki VPN.

0 Kudos
Subscribe
In response to Seth_B
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 9:38 AM
‎May 28 2024 9:38 AM

In fact, you're the one who made me curious, as far as I know, Meraki only works with Client VPN and Anyconnect.

In the Client VPN itself, you will use the native Windows Client (L2TP Connection) to configure the client's VPN connection.

And Anyconnect uses Cisco's Secure Client application.

Can you share a Wireguard screenshot that you commented on? If Meraki is offering this it appears to be a new feature.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Seth_B
New here
‎May 28 2024 10:24 AM
‎May 28 2024 10:24 AM

I'm terribly sorry. I was researching a couple of different options, with one of them being a separate server hosting Wireguard, and have been incorrectly calling the Meraki VPN Wireguard. I now see what you are saying about there being the Meraki VPN and AnyConnect as the two options.

Now that we have that clarified, do i still need to figure out some kind of routing rule between the client VPN subnet and the local network subnet? And should I stick with the Client VPN that I have been using or should I switch to using AnyConnect instead?

0 Kudos
Subscribe
In response to Seth_B
alemabrahao
Kind of a big deal
Kind of a big deal
‎May 28 2024 10:44 AM
‎May 28 2024 10:44 AM

Go to Security & SD-WAN > Configure > Site-to-site VPN and enable Client VPN in VPN mode.

 

alemabrahao_0-1716918201874.png

This way you will receive the routes for your Local network. But remember that you must enable VPN mode for your local networks if it is not enabled.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
Seth_B
New here
‎May 28 2024 12:12 PM
‎May 28 2024 12:12 PM

So I did some fiddling around (deleting and remaking the subnets) and they are now able to reach each other. Thank you very much for your help and walking me through how to solve the issue. I thank you very much and wish you the best.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.