Hi Nolan,

 

That's the Meraki. It's IP is 10.0.0.1 and it has the VPN tunnel established to Amazon. From there, users on our internal LAN (10.0.0.0/24) can access 10.128.1.0/24.

 

Eric

There is a route somewhere though telling internal how to get to Amazon somewhere, assuming its on the MX64? Not sure what your addressing and vlans settings look like, can you share those?

I've never messed with the clientVPN portion but I would imagine they'll need a route on how to get to Amazon as well

Hi Nolan,

 

     Thanks for the reply. That's what I'm struggling to figure out as well. WHERE to put the routing statement saying "If you're on 10.0.3.0 subnet and want to go to 10.128.1.0 subnet, go HERE". The Meraki is already doing the routing for that to extent between our Local LAN and the Amazon, but apparently not telling the CLIENT VPN where to go.I've attached a screen shot of the VLAN setting. I tried to add a static route to the Amazon VPN but I get the following message: "The static LAN route subnet 10.128.1.0/24 conflicts with a remote VPN subnet on the non-Meraki peer (10.128.1.0/24)."

 

 

Hi Nash,

 

Thanks for the reply. I'm sorry I forgot to include a screenshot, but yes, the 10.0.3.0 client VPN subnet is set to "Yes" under "VPN Participation". I'm also working with Amazon to allow the routing as well. I just added a static route on Amazon's side for 10.0.3.0 and they also responded with this:

 

"You need to summarize the two subnets which are 10.0.0.0/24 and 10.0.3.0/24 into one /16 network for Ex: 10.0.0.0/16 at your end (Meraki). So that 10.0.0.0/16 network under policy on Meraki will accommodate both your local networks instead of putting two separate /24 networks. For example: 10.0.0.0/16 -> 10.128.1.0/24. Summarizing both the networks into a single network is necessary as AWS end point can have only one inbound and outbound security association active. Hence, you having two networks separately inside your policy will cause disconnect for one of the network. Hence summarizing both the networks into one[1]. Therefore, please enter a single 10.0.0.0/16 network under local subnets and remove the two local subnets that you had before. Once making the changes to the policy on Cisco Meraki, bounce the tunnel."

 

However, when I attempt to do that on the Meraki, I receive: The local subnet cannot overlap with the client VPN subnet.

Maybe we're at an impasse? It seems a shame that the old ASA could do this, but not the Meraki.

This is one of the reasons why I seldom use the Amazon VPN gateway service, and instead use StrongSwan running on Ubuntu.  But this is quite a bit of work.

https://www.ifm.net.nz/cookbooks/meraki-vpn-to-amazon-aws.html 

Hi Phil,

 

I understand your idea but the problem here I feel is more on the Meraki side. When we had our ASA, I was able to set it up properly to route traffic to and from VPN Clients to Amazon. I would hope the Meraki would be able to do the same thing.

 

Eric

Try making the source encryption domain on the Amazon side 10.0.0.0/22.  That includes both your local LAN and your VPN sunet.

It still might not work.

 

I find the Amazon VPN gateway too inflexible.  I tend to use Strongswan on Ubuntu for all VPNs - Meraki, ASA and IOS routers.  I can also do more complex configurations, like source and destination NATing prior to VPN.

Plus its cheaper.