Amazon access from Client VPN

EricC
Conversationalist

Amazon access from Client VPN

Hi everyone,

 

I'm not sure if this would be a "Split tunnel" issue or what. But here's the setup we have:

 

Internal LAN (Meraki): 10.0.0.0/24

Client VPN: 10.0.3.0/24

Amazon VPN: 10.128.1.0/24

 

We currently have a Meraki MX64 that provides us with VPN access to our systems on Amazon. Computers on the 10.0.0.0 subnet can access computers on the Amazon 10.128.1.0 subnet. When a VPN client connects to the Meraki, it gets a 10.0.3.0 IP address and can access everything on our internal LAN. However, it can NOT access the devices on the Amazon side, and vice versa.

 

Back on our ASA we used to have routing setup that would allow this. However, I don't see where I can do this on the Meraki. Does anyone have any experience with this?

 

Eric

9 REPLIES 9
NolanHerring
Kind of a big deal

What or where is the device telling users on 10.0.0.0/24 how to get to 10.128.1./24 ?
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Hi Nolan,

 

That's the Meraki. It's IP is 10.0.0.1 and it has the VPN tunnel established to Amazon. From there, users on our internal LAN (10.0.0.0/24) can access 10.128.1.0/24.

 

Eric

NolanHerring
Kind of a big deal

There is a route somewhere though telling internal how to get to Amazon somewhere, assuming its on the MX64? Not sure what your addressing and vlans settings look like, can you share those?

I've never messed with the clientVPN portion but I would imagine they'll need a route on how to get to Amazon as well
Nolan Herring | nolanwifi.com
TwitterLinkedIn

Hi Nolan,

 

     Thanks for the reply. That's what I'm struggling to figure out as well. WHERE to put the routing statement saying "If you're on 10.0.3.0 subnet and want to go to 10.128.1.0 subnet, go HERE". The Meraki is already doing the routing for that to extent between our Local LAN and the Amazon, but apparently not telling the CLIENT VPN where to go.I've attached a screen shot of the VLAN setting. I tried to add a static route to the Amazon VPN but I get the following message: "The static LAN route subnet 10.128.1.0/24 conflicts with a remote VPN subnet on the non-Meraki peer (10.128.1.0/24)."

Clipboard01.jpg

 

 

Nash
Kind of a big deal

Please pardon me if I missed this but:

 

Is your client vpn subnet allowed to participate in vpn tunnels?

 

Is the vpn subnet allowed on the tunnel to Amazon on the AWS end?

EricC
Conversationalist

Hi Nash,

 

Thanks for the reply. I'm sorry I forgot to include a screenshot, but yes, the 10.0.3.0 client VPN subnet is set to "Yes" under "VPN Participation". I'm also working with Amazon to allow the routing as well. I just added a static route on Amazon's side for 10.0.3.0 and they also responded with this:

 

"You need to summarize the two subnets which are 10.0.0.0/24 and 10.0.3.0/24 into one /16 network for Ex: 10.0.0.0/16 at your end (Meraki). So that 10.0.0.0/16 network under policy on Meraki will accommodate both your local networks instead of putting two separate /24 networks. For example: 10.0.0.0/16 -> 10.128.1.0/24. Summarizing both the networks into a single network is necessary as AWS end point can have only one inbound and outbound security association active. Hence, you having two networks separately inside your policy will cause disconnect for one of the network. Hence summarizing both the networks into one[1]. Therefore, please enter a single 10.0.0.0/16 network under local subnets and remove the two local subnets that you had before. Once making the changes to the policy on Cisco Meraki, bounce the tunnel."

 

However, when I attempt to do that on the Meraki, I receive: The local subnet cannot overlap with the client VPN subnet.


Maybe we're at an impasse? It seems a shame that the old ASA could do this, but not the Meraki.

PhilipDAth
Kind of a big deal
Kind of a big deal

This is one of the reasons why I seldom use the Amazon VPN gateway service, and instead use StrongSwan running on Ubuntu.  But this is quite a bit of work.

https://www.ifm.net.nz/cookbooks/meraki-vpn-to-amazon-aws.html 

EricC
Conversationalist

Hi Phil,

 

I understand your idea but the problem here I feel is more on the Meraki side. When we had our ASA, I was able to set it up properly to route traffic to and from VPN Clients to Amazon. I would hope the Meraki would be able to do the same thing.

 

Eric

PhilipDAth
Kind of a big deal
Kind of a big deal

Try making the source encryption domain on the Amazon side 10.0.0.0/22.  That includes both your local LAN and your VPN sunet.

It still might not work.

 

I find the Amazon VPN gateway too inflexible.  I tend to use Strongswan on Ubuntu for all VPNs - Meraki, ASA and IOS routers.  I can also do more complex configurations, like source and destination NATing prior to VPN.

Plus its cheaper.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels