Meraki

cfrankli · ‎Oct 7 2020

Problem statement: connecting to AWS EC2 instances via ssh by remote users connecting via Meraki VPN. I have an MX64 with a site to site tunnel to our AWS environment and need our remote employees to be able to connect to EC2 instances in our VPC using ssh (terminal / PuTTY). My site to site connection, using a single tunnel shows as UP on the AWS side as well as in the Meraki dashboard (and have learned to live with the daily AWS warning that I don't have redundant tunnels). There are times when I can connect to the EC2 instances (10.x.x.x addressing) via ssh without an issue, but remote users can't. Note: I'm at the location of the MX64W. The inverse is also true - remote user can connect but I can't. I've been on multiple calls with AWS and Meraki and everyone is saying configurations check out. Considering bringing back and ASA 5505 and have it handle the AWS side but seems like that's just complicating things. Putting this out to the community hoping someone might have some insights or recommendation to follow. At this point, I'm wanting to pitch the Meraki appliance in lieu of another solution (out of frustration).

GreenMan · ‎Oct 7 2020

When you say 'remote users' - how are they connected back to the site with the MX64 which hosts the non-Meraki VPN tunnel to AWS?

cfrankli · ‎Oct 7 2020

Yes. Individual establishes a VPN connection to MX64W via ConnectVPN (L2TP) or Windows native VPN as described in the Meraki Client VPN OS Configuration document (which works well). The troubles appear when an individual tries to connect to the AWS instance. An example: 2 days ago I was able to ssh into hosts in the subnet without any issues however my colleague could not. I enabled ICMP in the inbound Security Group originating from our internal address range and was able to ping the hosts however she was not. Later that day, my connectivity dropped and has been down for the past two days. I can usually clear things up by resetting / swapping the tunnel connection from one AWS ip to the secondary but this is cumbersome.

To summarized remote user initiates vpn -> Meraki MX64. Desired behavior is that user can access hosts in AWS via the site to site tunnel established between MX64W which is defined as the AWS customer gateway connecting to the AWS virtual private gateway.

Hope that helps.

Brian_V · ‎Oct 7 2020

Did you add the remote users subnet (ie the VPN pool) in to the intersting traffic? Settings under VPN Settings>>Local Traffic, make sure it's set to VPN On. In addition did you add it on the AWS side? If you trace when connected, what path is it taking?

cfrankli · ‎Oct 8 2020

@Brian_V - yes, the remote user subnet (192.168.4.0/24) is included in the interesting traffic and VPN is On. The SG is allowing traffic from 192.168.0.0/24. I rebooted the appliance and it ssh is permitted from my local network - need to confirm that remote users can access once connected to Meraki VPN. @PhilipDAth made the point about hairpin connection which is valid however this used to work using an ASA 5505. I will post any relevant updates - in the interim, thanks to those who took the time to respond, much appreciated.

cfrankli · ‎Oct 8 2020

Update: I enabled ICMP and was able to ping and connect via ssh, after exiting terminal session, I asked a remote colleague to connect via ssh. He was able to connect successfully after a few attempts. Subsequently asked him to exit session after which I tried to initiate a ssh session and the request timed out. He can continue to connect (login) but my ping / ssh sessions time out. It seems that once a session is established it locks out all other requests - still trying to figure out the duration - whether it's temporary or in perpetuity.

PhilipDAth · ‎Oct 7 2020

I don't this will work (not sure). I don't think you can hair-pin the remote VPN subnet over a non-Meraki site to site VPN.

If you could at a minimum you would need to include the remote client VPN subnet in the encryption domain going to AWS.

Meraki

Community

MX64 / AWS site to site

MX64 / AWS site to site