I have a non-meraki peer site to site set up consisting of a MX64 at our office and a AWS instance containing StrongSwan software.
The site to site works perfectly but people connecting into the office via client VPN cannot see resources on the distant end of the site to site VPN.
I have been using packet captures to diagnose the and came across a strange situation. When I run constant ICMP Ping from within the office to a device at the distant end of the S2S VPN I see packet captures on the LAN but nothing when monitoring on site to site VPN. I know the pings are passing through because echo returns are being relayed back.
Why am I not seeing the packets when they must be there as the pings are 100% successful and the only path open is the site to site VPN.
First, have you tried a traceroute to see the hops that are being taken? This will help verify they are in fact taking the route you are expecting.
Second, Is your MX set up in NAT mode? If it is then a pcap on the LAN will show the source IP as the client, but a pcap capturing the same packets on the VPN interface will show the public IP of the MX.