Multiple VPN tunnels

AdminTS
Comes here often

Multiple VPN tunnels

We have set up a client VPN connection to our MX, which works. Now we are also setting up a site-to-site VPN connection to our server, which is not located in our office. We have now found that all VPNs work but we cannot access the server. Do we need a static or source-based route for this to work? If so, what should the route look like? Important: The subnet of the server is not configured in Meraki, as the server is located outside the network. How can we solve this problem?

10 Replies 10
DarrenOC
Kind of a big deal
Kind of a big deal

Hi @AdminTS , I assume the servers reside in the network at the other end of the S2S VPN?

 

can you add a route that points to the servers that terminate on the other end of the VPN tunnel?  

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
AdminTS
Comes here often

I cannot add a route because the servers are not in my own network. So another solution is certainly needed.

PhilipDAth
Kind of a big deal
Kind of a big deal

If you are using a non-Meraki site to site VPN - the VPN encryption domain for your end will need to include the subnet that you are using for your client VPN.

AdminTS
Comes here often

I don't currently know what you mean by that. Yes, it is a sito-to-site connection "non-Meraki", as the end is not a Meraki firewall. I am only interested in configuring that you start with client VPN and then reach the end via sito-to-site. Both connections work independently but unfortunately not together. So I can't access my resources, even though the client VPN is established. What exactly do I have to do here to make it work?

jimmyt234
Building a reputation

1) Make sure you have VPN Mode = Enabled on your Client VPN subnet on the MX

 

2) Make sure the remote end includes your VPN subnet in their remote encryption domain

AdminTS
Comes here often

VPN is activated in the subnet 10.61.0.1. Otherwise the VPN client connection would not work at all. But it does!

 

What do you mean by recording the subnet on the other side? Do you mean the VPN subnet or the public IP address?

jimmyt234
Building a reputation

The device/firewall on the other end of the non-Meraki VPN needs to have your client VPN subnet configured to route down the tunnel, so it knows how to route back to you.

AdminTS
Comes here often

Thanks for the info. I'm not talking about a VPN tunnel, but two tunnels. Were you aware of that?

AdminTS
Comes here often

I would like to show you here how the route should work.

 

With Client VPN I connect to the Meraki MX64 (Gateway 10.61.0.1). The VPN client subnet is 10.61.20.0. I would now like to access the server, which is located in the subnet 192.168.12.0/24. Logically, I cannot ping the subnet of the server. There is a site-to-site VPN connection for this subnet, which works properly. What do I have to do to ensure that the connection to the server from outside works? 

AdminTS
Comes here often

Does anyone here have any ideas on how to optimize such connections?

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels