How do client-VPN work, behind the scenes?

evkn
New here

How do client-VPN work, behind the scenes?

Hello

 

I am setting up a Meraki network for 3 locations, soon to be expanded to 6 or 7.

My experience is with Cisco ASA and Aruba/Procurve networking, so this is a new world for me.

 

I have set up template for the 3 locations that we want to implement straight away, and most of the setup is pretty straight forward, but I cannot wrap my head around the client vpn routing.

 

We have 8 standard VLANs for all out sites. 7 of which are included in the VPN, 1 is a guest network so that is set as "Same", the 7 others are "Unique" in the template.

 

Client VPN is a template setting and not a per-device setting, so the client VPN subnet is obviosuly shared on all sites.

I need the Client VPN connected users to be able to access resources on all 3 locations. I found the setting to include the Client VPN subnet in the VPN - but how on earth will that work, when the Client VPN Subnet is the same on all 3 sites?

 

Is the traffic NAT'ed in some way on the MX? If not, do the site to site VPN keep track of where to send the traffic from and to a ClientVPN-connected device?

 

To make this extra fun, only the site I am on has the Meraki setup yet. The two other sites have ASA devices. The L2L VPN to these devices is set up and work flawlessly, but I cannot set up the client VPN properly, when I dont understand how it works.

 

Hope someone can shed some light on this for me.

 

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

I've never tried using client VPN with a template in this manner before.  If you can't make the client VPN subnet unique at each site then you wont be able to use templates.

That was pretty much what I came to as well. Does that mean I have to build separate configurations alltogether (wifi, switch, security) for all sites? I cannot see any way to exclude just certain parts of the configuration, e.g. client VPN, from the template. So to me it seems like I have to choose between using templates at all, or have unique subnets on the Client VPN per device. But I may be missing something obvious

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes, you will need to build seperate configs.

 

I good way to start is to get a network working just how you want, and then when you create a new network - copy it.

https://documentation.meraki.com/zGeneral_Administration/Organizations_and_Networks/Cloning_Networks... 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels