Using Client VPN to connect to a local NAS drive

ErnstTFD
Getting noticed

Using Client VPN to connect to a local NAS drive

Hello, I have posted before, but either my question was asked incorrectly or no one know the answer on these forums. I will try to put it a straight forward as possible here.

 

I can successfully log into my Meraki, using client VPN with the vlan 192.168.5.x. In my case the address 192.168.5.118 was assigned to the laptop I'm using to log into the VPN.

 

On the local network there is a NAS drive on IP 192.168.1.3. When I try to ping this IP from the logged in laptop, the ping fails. Ie. I cannot access the local network connected to the Meraki, from the Client VPN login.

 

A secondary issue. I have given one of the local PC's on the network connected to the Meraki an address in the VPN subnet: 192.168.5.42. I cannot ping this IP either from the logged in laptop (192.168.5.118).

 

I've used to different ISP's with two different Public IP's for the VPN connection. In both instances I can connect, but I cannot ping anything.

 

If I go to Clients page and enter Client type VPN, then nothing shows up. There is no records of any VPN connection.

 

If your just going to point me to the Meraki help files, don't bother, I've read them all and did everything contained therein.

 

I need practical step by step assistance at to what I'm ding incorrectly please. Thank you.

12 Replies 12
GreenMan
Meraki Employee
Meraki Employee

Did you raise a case with Meraki Support?

ww
Kind of a big deal
Kind of a big deal

What is the meraki mx ip of subnet 192.168.1.0/24? 

 

Can you ping this mx ip from the vpn client when connected to the mx client vpn?

 

Has the nas this ip as gateway?

 

In what subnet is your  client before connecting to the client vpn?

alemabrahao
Kind of a big deal
Kind of a big deal

@ErnstTFD  just open a case with Meraki support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

By the way, the only setting that could be preventing this is a group policy applied to the NAS restricting it or a layer 3 rule blocking it. The VPN client configuration level is all released by default.

So my advice is to open a ticket with support.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

That is the image that you sent on another topic. It looks like a Route issue or something like that, you maybe will lose 2 hops, and then you will be able to reach the NAS IP. I will show you my tracert.

 

alemabrahao_0-1667080226541.png

alemabrahao_1-1667080312393.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

I believe I found the problem, instead of the traffic being sent through the VPN tunnel they are being sent to the default gateway of the router at your home.

 

alemabrahao_1-1667082044513.png

 

Do you have any configuration on your network that could be causing this problem? For example, is a VLAN on the same network being used by the VPN?

 

alemabrahao_0-1667082009759.png

 

Can you show the route print command after connecting to VPN?

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ErnstTFD
Getting noticed

So I am currently using this tool: https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

 

It allows you to enter your desired subnets. This adds routes for those subnets.

 

I've added 192.168.1.0/24 and 10.5.5.0/24 subnets. After doing this, I can now ping 192.168.1.3 for the first time. However if I enter \\192.168.1.3 in my file explorer is still fails to connect to the NAS. Also I cannot ping 10.5.5.1 or 10.5.5.5. I need access to both of these as well.

 

The route looks like this when the VPN is connected:

 

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       172.17.2.1      172.17.2.95     55
         10.5.5.0    255.255.255.0         On-link     192.168.5.118     46
       10.5.5.255  255.255.255.255         On-link     192.168.5.118    301
     41.138.70.14  255.255.255.255       172.17.2.1      172.17.2.95     56
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
       172.17.2.0    255.255.255.0         On-link       172.17.2.95    311
      172.17.2.95  255.255.255.255         On-link       172.17.2.95    311
     172.17.2.255  255.255.255.255         On-link       172.17.2.95    311
      192.168.1.0    255.255.255.0         On-link     192.168.5.118     46
    192.168.1.255  255.255.255.255         On-link     192.168.5.118    301
      192.168.5.0    255.255.255.0        192.0.2.1    192.168.5.118     46
    192.168.5.118  255.255.255.255         On-link     192.168.5.118    301
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link       172.17.2.95    311
        224.0.0.0        240.0.0.0         On-link     192.168.5.118    301
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link       172.17.2.95    311
  255.255.255.255  255.255.255.255         On-link     192.168.5.118    301
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0      192.168.1.1  Default 
===========================================================================
alemabrahao
Kind of a big deal
Kind of a big deal

@ErnstTFD  I suggest you do a test, delete the connection that you created via the Website https://www.ifm.net.nz/cookbooks/meraki-client-vpn.html then configure it like the Meraki article and test It again.

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration#Windows_10

 

I've been working with Meraki for 7 years, and for Windows, I have never needed to create routes for L2TP tunnels.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

This is my Route table:

 

alemabrahao_3-1667387848301.png

 

The IP 10.1.0.5 is my VPN IP, and as you can see I don't have a default gateway for this subnet, and I'm still having access to my servers via L2TP.

 

alemabrahao_1-1667387640351.png

alemabrahao_2-1667387669901.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
ErnstTFD
Getting noticed

Creating the VPN manually without the scripts and the routing, the routing table in windows look like this. (In this case I cannot ping 192.168.1.3 at all).

 

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 172.17.2.1 172.17.2.95 55
41.138.70.14 255.255.255.255 172.17.2.1 172.17.2.95 56
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.17.2.0 255.255.255.0 On-link 172.17.2.95 311
172.17.2.95 255.255.255.255 On-link 172.17.2.95 311
172.17.2.255 255.255.255.255 On-link 172.17.2.95 311
192.168.5.0 255.255.255.0 192.0.2.1 192.168.5.118 46
192.168.5.118 255.255.255.255 On-link 192.168.5.118 301
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 172.17.2.95 311
224.0.0.0 240.0.0.0 On-link 192.168.5.118 301
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 172.17.2.95 311
255.255.255.255 255.255.255.255 On-link 192.168.5.118 301
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.1.1 Default
===========================================================================

alemabrahao
Kind of a big deal
Kind of a big deal

Why do you have a Default Persistent Route? Can you remove It and try again?

 

Execute CMD as administrator and run the following command:

 

route -p delete 0.0.0.0 mask 0.0.0.0 192.168.1.1

 

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
alemabrahao
Kind of a big deal
Kind of a big deal

By the way, why do you have a route to network 192.168.5.0.0.to 192.0.2.1 as a gateway? Your routing table is a mess. 😅

 

Try this:

 

netsh interface ip delete arpcache

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels