non-meraki vpn, include client vpn

SOLVED
ZDonaldson
Getting noticed

non-meraki vpn, include client vpn

All,

 

I have set up a non-meraki vpn tunnel.  

 

I cannot figure out how to include the client vpn network range on the tunnel configuration.  it only allows me to choose existing meraki networks but there is no option for the client vpn range.

Zane D - IT Manager in Sin City NV
1 ACCEPTED SOLUTION
jdsilva
Kind of a big deal

You use the same "Local Networks" section that you use for AutoVPN. You can't exclude a network from AutoVPN, and include it in third party VPN. 

 

image.png

View solution in original post

7 REPLIES 7
jdsilva
Kind of a big deal

You use the same "Local Networks" section that you use for AutoVPN. You can't exclude a network from AutoVPN, and include it in third party VPN. 

 

image.png

PhilipDAth
Kind of a big deal
Kind of a big deal

I'm a bit grey on this one, but I'm about 75% sure that no matter what you configure, ClientVPN can not be used to access remote resource on the other side of a non-meraki VPN.

Lindsey
Here to help

Put the client VPN VLAN in a static route under "VLANS-Routes" and make the next hop IP the range of the destination subnet of the non-Meraki peer.

jdsilva
Kind of a big deal

Haha! Three different people, three different answers. At least two of us are wrong... If not all three 😞

Ben
A model citizen

@jdsilva

 

I'm think you are right. For the MX devices the Client VPN is just a "local network". 

I think the important part of the configuration is on the NON meraki peer since it needs a route back to the MX for all your subnets if this does not work when including it. 

 

EDIT: quick Google search: I think you are looking for this

 

https://www.willette.works/merging-meraki-vpns/

 

 

ZDonaldson
Getting noticed

here is the answer supplied by Meraki Support:

 

In order to advertise the addresses from a Meraki client VPN to the non-Meraki devices, go to Security Appliance > Configure > Site to Site VPN, and then under VPN Settings and then Local Networks, you'll see the IP range there(Currently the range is set to 192.168.55.0/24) and then set Use VPN to "Yes".

 

my issue with the whole thing is how disjointed things are to simply create a vpn tunnel.  I have general complaints about the process with Meraki.  sometimes it is an improvement to do things differently than others, but in the case of VPN, which is built on a standard, its weird and frustrating that the various pieces necessary for building a tunnel are in different places.  Its not built using a straight-foward workflow for the various steps required.

 

Also a complaint, since I'm already ranting:  when I created the non-meraki tunnel I added two Meraki sites.  this visually appears to be one tunnel with two network ranges.  but that's not what's happening under the hood.  Its actually building two separate tunnels from each device.  That took a lot of time to figure out...and its silly.

 

thus endeth the rant.

Zane D - IT Manager in Sin City NV
JacoboLevy
Getting noticed

You just need to add the Private Subnet for the Client VPN on the:

- Organization-wide settings
- Options in this section apply to all VPN peers in this organization.
- Non-Meraki VPN peers

 

add there that Client VPN subnet and all the VPN Client Traffic will be allowed to see the other end of the tunnel. 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels