Client VPN cannot see resources at distant end of non-meraki site to site VPN

mel-astrosat
Here to help

Client VPN cannot see resources at distant end of non-meraki site to site VPN

Hi Community I hope someone can help.

 

I have a non meraki peer site to site VPN into AWS. The AWS end is not a standard customer gateway so the AWS template was not applicable.

 

The VPN is up and running with no issues when accessed from within the main subnet 192.168.100.0/24

The distant end subnet is 172.16.0.0/12

 

However if I try to access the resources at 172.16.0.0/12 from my home via the Client VPN (Windows 10 inherent Client VPN) I cannot see any of them. The client VPN subnet is 192.168.101.0/24

 

Initially I could not see anything in the main subnet either except singularly the meraki firewall on 192.168.100.1.

The help documentation states that all of the main subnet should be accessible from the client vpn subnet. The only way I gained access to the whole main subnet via the client vpn was by adding an outgoing firewall rule enabling source 192.168.101.0/24 to destination 192.168.100.0/24. I suspect this is masking an incorrect setting but would welcome suggestions.

 

I read previous community dialogue that revolved around checking that the client VPN subnet and main subnet were both enabled for VPN. They always have been in my case so that is not the issue.

 

Packet Captures have helped a bit but also are misleading. For example if I am in the office running constant ping 192.168.100.200 to 172.16.13.221 they receive successful echo returns. When I tracert this path from 192.168.100.200  it shows >>>192.168.100.1 >>>>172.16.1.16>>>172.16.13.221

When I run packet captures I see the ICMP traffic in both directions at LAN but nothing on site to site VPN. I know it must be passing through the VPN however as the pings are successful. (I have raised that question on a separate article)

 

If I run contant ping from home via the client VPN I see echo requests at Client VPN originating from 192.168.101.32 (my allocated IP address on the client vpn subnet, but no corresponding echo returns which is not surprising as the pings are failing. When I look for packet captures on the site to site vpn no traffic is visible. Here is a strange thing, the meraki support engineer tells me that when he accessed the network over a client VPN that I set up for him, he could see the ping requests from 192.168.101.151 on the site to site vpn but no echo returns. His conclusion is that something is amiss at the distant end and I don't doubt this. However I cannot understand how I never see packet captures on site to site VPN interface either when pings are originating from the main subnet or client VPN

subnet 

Incidentally I have not generated any additional VLANs

 

Still waiting on further messages from Meraki Support but any advice would be greatly appreciated.

I am still suspecting that a fundamental setting is wrong, based on having to set a firewall rule to allow the client VPN subnet access to the main subnet. 

1 Reply 1
PhilipDAth
Kind of a big deal
Kind of a big deal

Make sure 192.168.101.0/24 is included in your VPN range on your end.  Make sure the remote end also has this range in your VPN encryption domain.  Make sure AWS has 192.168.101.0/24 in its route table pointing to the VPN appliance.  Make sure the AWS security group is allowing this range.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels