Meraki

Community

How do client-VPN work, behind the scenes?

evkn
New here
‎Oct 6 2019 7:05 AM
‎Oct 6 2019 7:05 AM

How do client-VPN work, behind the scenes?

Hello

 

I am setting up a Meraki network for 3 locations, soon to be expanded to 6 or 7.

My experience is with Cisco ASA and Aruba/Procurve networking, so this is a new world for me.

 

I have set up template for the 3 locations that we want to implement straight away, and most of the setup is pretty straight forward, but I cannot wrap my head around the client vpn routing.

 

We have 8 standard VLANs for all out sites. 7 of which are included in the VPN, 1 is a guest network so that is set as "Same", the 7 others are "Unique" in the template.

 

Client VPN is a template setting and not a per-device setting, so the client VPN subnet is obviosuly shared on all sites.

I need the Client VPN connected users to be able to access resources on all 3 locations. I found the setting to include the Client VPN subnet in the VPN - but how on earth will that work, when the Client VPN Subnet is the same on all 3 sites?

 

Is the traffic NAT'ed in some way on the MX? If not, do the site to site VPN keep track of where to send the traffic from and to a ClientVPN-connected device?

 

To make this extra fun, only the site I am on has the Meraki setup yet. The two other sites have ASA devices. The L2L VPN to these devices is set up and work flawlessly, but I cannot set up the client VPN properly, when I dont understand how it works.

 

Hope someone can shed some light on this for me.

 

0 Kudos
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 6 2019 11:30 AM
‎Oct 6 2019 11:30 AM

I've never tried using client VPN with a template in this manner before.  If you can't make the client VPN subnet unique at each site then you wont be able to use templates.

0 Kudos
In response to PhilipDAth
evkn
New here
‎Oct 6 2019 11:37 AM
‎Oct 6 2019 11:37 AM

That was pretty much what I came to as well. Does that mean I have to build separate configurations alltogether (wifi, switch, security) for all sites? I cannot see any way to exclude just certain parts of the configuration, e.g. client VPN, from the template. So to me it seems like I have to choose between using templates at all, or have unique subnets on the Client VPN per device. But I may be missing something obvious

0 Kudos
In response to evkn
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Oct 6 2019 11:40 AM
‎Oct 6 2019 11:40 AM

Yes, you will need to build seperate configs.

 

I good way to start is to get a network working just how you want, and then when you create a new network - copy it.

https://documentation.meraki.com/zGeneral_Administration/Organizations_and_Networks/Cloning_Networks... 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.