Site-to-Site VPN Setup

SOLVED
Billys
Conversationalist

Site-to-Site VPN Setup

I have a MX64 and a Z3 Teleworker.
 

My network is configured as a Windows 2016 server that handles DHCP Server and Active Directory.  On my network I have another server that runs our ERP software, which communicates on Port 9540.

The workstations on the network have the ERP desktop client, which points to the server by WINS name \\ERP01 and port 9540.  

This works fine internally on ethernet or wifi when on HQ site where MX64 is setup.  

 My setup is like so:

network setup.jpg
The MX64 does not hand out any IP Addresses, it is in Passthrough Mode, since my Win2016 Server Domain Controller (192.168.0.254) handles DHCP and Users in Active Directory.  

But the Z3 does have DHCP enabled, and hands out 192.168.128.0/24 addresses.






At this time, I have successfully setup the MX64 to connect and work with Client-VPN where it authenticates with my LDAP.  The local DHCP is 192.168.0.0/24 and my Client VPN is 192.168.1.0/24 subnet.  It works, the client vpn allows users to connect because I have the WINS server setup in the settings (VPN IPv4 and NETbios enabled settings) to point to 192.168.0.254 (my domain controller).  So my ERP client software does indeed connect using UNC \\ERP01 and port 9540

What I want to do is setup Site-to-Site VPN with the Teleworker Z3 device.  But I run into issues that stop it from working altogether, and I don't understand what is preventing traffic from passing correctly.

I have reached out to Meraki support but they were not very helpful.  They suggested that I use NAT mode, which I tried.  That connected the two devices over VPN, but then both the MX64 and Z3 stopped passing all traffic.  So that took down the internet completely at both sites.  So then I tried Passthrough setup, which says I have to setup a subnet for the VPN.  I set that one as 192.168.2.0/24 and it connected, but would not allow the Z3 to map to any resources on the MX64 side.  I could not find any documentation on the way I need to setup the Z3 or MX64 that will translate any traffic from the workstation to the HQ network to allow a computer to network authentication, or file sharing.

I have made sure there are no firewall settings that block file sharing or networking ports on either device.  

I am unsure if I should be setting any additional settings on the workstation to search for a WINS server through the VPN connection, like 192.168.0.254 (my domain controller).  I am also unsure how to do bridging, if necessary, to handle the site-to-site vpn.  It's mentioned in a couple articles on the Meraki KB, but it's not an option in my dashboard.  I have tried this in modes where MX64 is HUB, and Z3 is HUB or Spoke.  Preferably Z3 should be SPOKE, but both setups has always led to the same issue.  Cannot ping 192.168.0.254, but VPN is connected.  The workstation on the Z3 side is part of the MX64 (HQ) domain.  It is authenticated, and connects fine using the Meraki Client VPN.  It's only the Site-to-Site VPN that does not work.  The idea of this setup is to give the Z3 to a traveling user who will connect to Hotel Internet, use Cellular Hotspot USB, and connect at home - allowing them to securely connect and use the ERP software which requires PCI-DSS compliance.

Here are the articles I have read and tried:
https://documentation.meraki.com/MX/Site-to-site_VPN/Using_Site-to-site_VPN_Translation
https://documentation.meraki.com/MX/Site-to-site_VPN/Site-to-site_VPN_Settings
https://documentation.meraki.com/MR/Client_Addressing_and_Bridging/Resolving_NAT_Mode_and_Site-to-si...

I'm hoping someone else has a setup similar to mine, or can point me to a correct guide that sets this up right.  All the videos I've seen on youtube are demonstrations of the old Dashboard.  They show how to get the VPN connected, but never how to test and makes sure traffic passes over it.  Your help is greatly appreciated in advance.

EDIT: SOLVED - Look at my last post to see the screenshots of my final setup that got this working.

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

First, can the Z3 site ping your AD controller by IP address?

 

Assuming that is the case, configure the DHCP on the Z3 to give out the DNS server IP address of your AD controller.  Then you'll be able to access resource via name again.

View solution in original post

6 REPLIES 6
NolanHerring
Kind of a big deal

Are you split-tunneling or doing full-tunnel for the VPN once its connected?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

that's a question I can't answer because I don't know how that is done.

What I can say is I am not doing load balancing, and I'm not making specific subnets to handle certain traffic.  That is as much as I know.

So I assume I'm doing full tunneling...?

PhilipDAth
Kind of a big deal
Kind of a big deal

First, can the Z3 site ping your AD controller by IP address?

 

Assuming that is the case, configure the DHCP on the Z3 to give out the DNS server IP address of your AD controller.  Then you'll be able to access resource via name again.

MMoss
Building a reputation

What are you using Subnet and VLAN wise? I see it's 192.168.128.0/24 on the Z3, but the best I can tell is you are using a .0 on the MX64 side of the network and a .1 for the VPN. Can your MX64 see the .128 subnet? Does it have a static directing the subnet to the gateway?

For example on our MX84 which is the HUB of the VPN tunnels, and it's range is set to take xxx.xxx.0.0/16 over a static route to gateway. We have 20 remote locations and the subnets are all /24 and joined into the VPN as a spoke.
Billys
Conversationalist

PhilipDAth, 

 

I feel silly now that I didn't do this.  That was literally the last step I needed to set this up. Putting the 192.168.0.254 (my Domain Controller/DNS/DHCP Server) in the Z3 Name Servers field under DHCP settings fixed the problem!  Thank you!

For anyone else wondering what the final setup was, here are screenshots.  Hope this helps others who are scratching their heads like I was.  
--------------------------------------------------------------------------------------------------------------------------------------------------------
MerakiMX64dhcp.jpg--------------------------------------------------------------------------------------------------------------------------------------------------------MerakiMX64dp.jpg--------------------------------------------------------------------------------------------------------------------------------------------------------MerakiMX64s2s.jpg--------------------------------------------------------------------------------------------------------------------------------------------------------MerakiZ3dhcp.jpg--------------------------------------------------------------------------------------------------------------------------------------------------------MerakiZ3dp.jpg--------------------------------------------------------------------------------------------------------------------------------------------------------MerakiZ3s2s.jpg

--------------------------------------------------------------------------------------------------------------------------------------------------------

NolanHerring
Kind of a big deal

FYI since I just noticed that you have 'Default Route' checked. This means that the Z3 will do Full-Tunnel. So any local internet traffic will also traverse the VPN. If you uncheck that, internet traffic will leave the internet local and only traffic routed for internal will go over the VPN
Nolan Herring | nolanwifi.com
TwitterLinkedIn
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.