cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OpenVPN TUN Causes VLAN Mismatch

SOLVED
Highlighted
Here to help

OpenVPN TUN Causes VLAN Mismatch

I have a Linux server running an OpenVPN TUN server directly connected to an MX-84, and the MX is directly connected to the open Internet. The MX is almost entirely out of the box, very little configuration. The Linux laptop is on the default 192.168.128.0/24 subnet, vlan0. When a remote client connects to the OpenVPN server it gets a 10.8.0.0/24 address on a TUN interface. If the remote client attempts to connect to the WAN (Internet), it gets blocked by the MX and there's an error in the event log (MAC masked for privacy):

 

Source IP and/or VLAN mismatch

source_client_ip: 192.168.128.3, source_client_mac: XX:XX:XX:XX:XX:XX, source_client_assigned_vlan: 0
last_illegal_ip 10.8.0.8
client_total_illegal_packets 25340
all_total_illegal_packets 44829
last_reported_total

 

The remote client can access other resources on the Linux laptop, but cannot access the outside Internet. I've tried adding a subnet to the MX so it recognizes the 10.8.0.0/24 network. I've added an explicit outbound firewall rule to permit all outgoing traffic from 10.8.0.0/24 to ANY. I've tried changing the VPN client network so that the client gets a 192.168.128.50 address (not currently in use elsewhere on the MX). No luck on any of those. Is there some setting I'm missing so that the MX will allow outbound traffic from two different subnets from the same source MAC? I didn't want to fiddle with too many settings and risk breaking other things I've got running. this is about the only thing I don't have functional at the moment

 

Some relevant settings:

Firmware: MX 12.26

Mode = NAT

Client Tracking = Track clients by MAC Address (I tried "track by IP" but it says it's not supported for mixed environments - I also have an MR and MS elsewhere on this network)

VLANs = disabled (use a single LAN)

 

Unfortunately the Meraki VPN will not suffice, and I can't use a TAP interface either so I can't pass DHCP responsibility through from OpenVPN to Meraki. Happy to provide any other information that may be relevant.

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Kind of a big deal

Re: OpenVPN TUN Causes VLAN Mismatch

The only thing you should need to do is add a route on the MX for 10.8.0.0/24 via the TUN server 192.168.128.x IP address.

 

I would also upgrade your MX to 13.28, but that has nothing to do with this issue.

View solution in original post

2 REPLIES 2
Highlighted
Kind of a big deal

Re: OpenVPN TUN Causes VLAN Mismatch

The only thing you should need to do is add a route on the MX for 10.8.0.0/24 via the TUN server 192.168.128.x IP address.

 

I would also upgrade your MX to 13.28, but that has nothing to do with this issue.

View solution in original post

Highlighted
Here to help

Re: OpenVPN TUN Causes VLAN Mismatch

That did it! I'm 99.999% sure I did exactly that prior, but must have done something slightly wrong last time. For reference, I did the following:

 

  1. Security appliance > Configure > Addressing & VLANs
  2. Add a Static Route
    1. Name = OpenVPN
    2. Subnet = 10.8.0.0/24
    3. Next Hop IP = 192.168.128.3
    4. Active = Always

 

I am staying on the stable firmware for now, will move up to 13 when I'm back on site. thanks again!

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.