Hello,
I am looking for clarifications on how the routing operates within the Meraki in regards to site-to-site vpns. There seems to be a difference between how routing occurs for client vpn and StS VPN.
We have deployed tablets that use LTE connections through a private APN. Our APN provider links his network to our LAN through StS VPN. Internet is blocked within the APN, so no split tunneling, and all traffic is fully tunneled to our Meraki.
I am trying to obtain Internet access for my StS vpn clients, the tablets.
This article, although not fully related to my questions, confirms within the first phrases that the client vpn of the Meraki establishes only full tunnels. This is confirmed by checking my public ip while connected through VPN from my laptop.
https://documentation.meraki.com/MX/Client_VPN/Configuring_Split_Tunnel_Client_VPN
So, full VPN and Internet access through my Meraki ergo, it uses the route 0 of the meraki to access the internet from my client vpn subnet.
This is not the behavior for the StS vpn. I do NOT get Internet.
How come the StS vpn client do not get access to the Internet by accessing route 0 from my firewall?
In order to circomvent this issue, we added a static route 0 through the admin panel Security / SD-WAN / Addressing & VLANs / Static Routes.
Once route 0.0.0.0/0 is Enabled and 'IN VPN' is checked, our StS vpn client now obtain Internet access.
This in fact duplicates the 0.0.0.0/0 route as can be seen in in the general routing table in Security / SD-WAN / Route Table.
There, 0.0.0.0/0 route shows subnet, name etc. and via shows '2 routes', one using the WAN uplink and the other created manually using the next hop specified in the manual creation.
Now, here is the kicker, from the static route creation panel, we configured that route to be Active "While next hop responds to ping" and configuring a non responding IP thus, logically, rendering that route inactive. From what I was told by our provider, this does render the route inactive in the routing table but makes it visible to the StS vpn clients by just by checking the box 'In VPN'.
How does the routing occur to the real 0.0.0.0/0 route then? This article seems to answer the question.
https://documentation.meraki.com/MX/Networks_and_Routing/MX_Routing_Behavior
Route Priority
"traffic destined for an address for which multiple routes exist will be routed in the order of priority above"
Overlapping Routes are routed by route priority it seems, thus giving access to route 0 to my site-to-site VPN, am I understanding this correctly?
Not only that, when enabling or disabling that route, our StS vpn client seem to lose communication with some of the VLANs they should have access to. It was suggested that we should down the StS ipsec tunnel and up it again to trigger the full sync of the routing configuration from meraki cloud to the appliance. Does this make sens?
So to recap the questions:
How come the StS vpn client do not get access to the Internet by default by accessing route 0 from my firewall?
Does Meraki Route priority explains why my static route 0 'In VPN' works?
How is my static route 0 working with StS vpn client if it is not meeting the active condition?
Would downing/upping the ipsec tunnel actually do anything and if yes, is there an enable/disable feature or do I actually need to delete the tunnel and recreate it to obtain the desired effect?
Thank you all for your answers.