VPN Concentrator for Client VPN

LRH
Here to help

VPN Concentrator for Client VPN

I would like to setup an MX100 in VPN Concentrator mode....but...only use it for my client VPN users to connect to.

 

I have read the deployment guide for the vpn concentrator and it appears as if that is for site-site connections.

 

Can I setup a MX to ONLY terminate client VPN connections?

9 Replies 9
Welles
Building a reputation

You got it. Server to Server ... i.e. MX to MX or another “device” that is not a client(as in mobile device, i.e. cell phone). 

 

I think people *have* setup IPsec tunnels manually, but that’s another story.  

PhilipDAth
Kind of a big deal
Kind of a big deal

I just tried enabling Client VPN for an MX in VPN Concentrator mode and it took the config just fine.

Welles
Building a reputation

I stand corrected. I thought all that was pulled.

 

Here’s a doc outlining setup details.

 

https://documentation.meraki.com/MX/Client_VPN/Client_VPN_OS_Configuration

 

I don't want the MX to participate in any site-site tunnels.....just the client vpn terminations....

 

According to the directions that isn't possible in concentrator mode.....have to use NAT mode with two cables...

LukasB
New here

I am facing exactly same challenge. Need to setup MX100 only for serving VPN client connections as an one armed VPN concentrator. 

 

According to Meraki guides it it only possible for site-site tunnels. Anyway I plan to test these in the nearest feature.

 

Overall Is it possible to configure it?

For those who are looking for a straight answer to this question, yes, client VPN will work if MX appliance configured to be a One-Arm Concentrator. I just configured one and it is working as intended. 

@Ignat  thanks for the update. Since the concentrator has a lan ip address. What kind of port forwarding required for client vpn to work? Just udp500/4500 to lan ip?

I am facing same issues setting up mx as a concentrator and only for client vpn. Any updates from anyone on this please


@RichardChen1 wrote:

Since the concentrator has a lan ip address. What kind of port forwarding required for client vpn to work? Just udp500/4500 to lan ip?


Yes, UDP/500 and UDP/4500 is enough as with NAT-T, after the initial exchanges on UDP/500 all is encapsulated in UDP/4500.

Get notified when there are additional replies to this discussion.