thank you for your answer, Yes I've one MX and two different networks or site (each network has its VLANs), if the Meraki can let me create only one Subnet Client VPN, how can differentiate that a client can access to one network and not the other?
There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements.
Actually, the possibilities are highly limited here. The traffic from VPN-clients is subject to the L3 firewall, but for your use-case, you would need differentiated access. And as we can not apply group-policies via RADIUS for VPN-users as it is possible with wireless users, all clients are treated the same.
I really hope for more possibilities with the coming AnyConnect support.
How do I solve this problem? Nearly all my Meraki implementations have an additional ASA for all Client- and external S2S VPNs. A cheap Firepower 1010 is very often enough here.
Not the way that you have an FMC and FTP managed by the Meraki-Cloud. For having *one* cloud-managed solution, the Cisco Defense Orchestrator (CDO) is the Cisco solution. But it is likely that it does not fit your needs (yet). But you still can manage the FTD/ASA locally. Yes, I also do not really like that, but for now, it is IMO the only usable way.