Meraki Community

Gautam · ‎Mar 9 2020

Hi Team,

We have connected the Meraki device in our network as per below screenshot , given one public IP on WAN 1 interface ,allowed 10.1.200.0/24 subnet in our network for VPN and connected Meraki LAN 3 interface to our L2 Switch as access interface and allowed VlAN 200.

Both Lan and WAN interface is up and Meraki cloud for authentication but unable to connect with Routed mode.

After configured Meraki device as passthrough and Meraki cloud for authentication , able to connect VPN however unable to reach our LAN network.

Kindly suggest the configuration for client VPN in Meraki.

Thanks,

Gautam

ChrisC83 · ‎Mar 9 2020

Hi,

For your topology, I believe it's better to set up the MX as routed mode since you have connected the MX WAN to the public LAN side which should not have access to internal LAN.

Did you change the WAN IP on the MX84 connecting as routed mode and passthrough mode?

If not both modes the client VPN should be able to connect, you may need to check the upstream firewall to make sure the UDP 500 and 4500 been allowed on upstream ISP to your MX WAN IP.

If the client is connected but unable to reach the resource, for passthrough mode, you will need to make sure the WAN GW got the route pointing to the client VPN subnet on MX and is able to route it to your internal network. For routed mode, you will need to set up a new VLAN on MX to connect to your internal switch since the client VPN will set up a separate VLAN on MX and then configure a static route on both MX and your internal switch to allow the VPN subnet to be routed.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Gautam · ‎Mar 10 2020

Thanks Chris for your suggestion

WAN GW means isp2- firewall in our architecture right.

And can you tell us why we need to have static route and how this would work cause right now we are using pulse secure and we didn't give any static route on wan gateway.

Currently we are using meraki as passthrough and taken vpn subnet as 10.10.200.0/24.

so you want us to configure a static route on external gateway as 10.10.200.0 255.255.255.0 next hop public ip of meraki device.

Thanks

Gautam

ChrisC83 · ‎Mar 12 2020

Hi,

So if you have the VPN subnet as 10.10.200.0/24 on Meraki device in passthrough mode. Then the subnet 10.10.200.0/24 will follow the default route which is the default GW for this MX. This is because the MX is in passthrough mode. Therefore the GW device of MX has to know how to reach this VPN subnet and how to reach the internal network as well.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Gautam · ‎Mar 15 2020

Hi Chris,

we finally decided to go with routed mode as you said configure a static route on both MX and your internal switch to allow the VPN subnet to be routed.

so right now we have given the client VPN subnet as 10.110.200.0/24 and the VLAN on MX is 10.140.201.0/24 and MX IP is 10.140.201.2,

I didn't quite catch the static route one. can you let me know the static route you want me to add in MX and internal switch? and internal switch you mean L3 switch in my architecture right?

ChrisC83 · ‎Mar 15 2020

Hi,

Basically, on MX you should set a static route for all internal networks to point to the internal L3 switch.

On the internal switch side, you should set a static route for the client VPN subnet to point to the MX IP.

In this way, you could have two-way traffic between client VPN subnet and the internal subnet.

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it.

Meraki Community

Using Meraki MX 84 as client VPN

Using Meraki MX 84 as client VPN