Meraki

Community

site to site VPN and client VPN

Solved
jay_b
Getting noticed
‎Feb 22 2022 12:42 PM
‎Feb 22 2022 12:42 PM

site to site VPN and client VPN

Hi,

 

I have 2 sites. Site A and Site B with MX250s. Site to site tunnel is configured between these 2 sites. Site A also have site to site tunnel configured to AWS tunnel. Site B don't have AWS tunnel.  On site A, we have client VPN. 

 

If someone on Site B want to access AWS stuff, can they connect to Site A's client VPN ?

0 Kudos
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 22 2022 4:35 PM
‎Feb 22 2022 4:35 PM

They could. The Client VPN flow will be over the internet and not in the S2S VPN.      Client VPN on Site B -> ( Internet ) Site A  -> AWS. 

 

In that case having or not the S2S between Site A and Site B is irrelevant

That would be one way to do it.

View solution in original post

0 Kudos
12 Replies 12
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 22 2022 4:35 PM
‎Feb 22 2022 4:35 PM

They could. The Client VPN flow will be over the internet and not in the S2S VPN.      Client VPN on Site B -> ( Internet ) Site A  -> AWS. 

 

In that case having or not the S2S between Site A and Site B is irrelevant

That would be one way to do it.

0 Kudos
In response to RaphaelL
jay_b
Getting noticed
‎Feb 23 2022 12:33 PM
‎Feb 23 2022 12:33 PM

Great. Thanks @RaphaelL  I will give a try.

0 Kudos
jay_b
Getting noticed
‎Mar 9 2022 11:44 AM
‎Mar 9 2022 11:44 AM

I just tried Client VPN and site to site tunnel enabled and I am not able to connect client VPN from Site B to site A. As soon as I disable site to site tunnel , client VPN works. 

0 Kudos
In response to jay_b
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 9 2022 11:49 AM
‎Mar 9 2022 11:49 AM

You are probably in full tunnel mode. Your  Client VPN flow is going thru your VPN tunnel and not over the internet. 

0 Kudos
jay_b
Getting noticed
‎Mar 9 2022 11:53 AM
‎Mar 9 2022 11:53 AM

@RaphaelL  What do you mean by full tunnel mode? I don't have client VPN subnet and subnet which client is connected to at site B is in site to site tunnel.

 

I only have site to site configured for management VLAN only. 

0 Kudos
jay_b
Getting noticed
‎Mar 9 2022 12:20 PM
‎Mar 9 2022 12:20 PM

I think what's happening here is when client VPN requests from Site B to Site A, Site A thinks this is from S2S and responding on S2S. I don't see any phase 2 traffic on pcap

0 Kudos
jay_b
Getting noticed
‎Mar 9 2022 12:31 PM
‎Mar 9 2022 12:31 PM

jay_b_0-1646857807633.png

 This is what I am trying to achieve. Just did diagram in case there is confusion.

 

S2S tunnel is only between mgmt vlan 192.168.23.0/24 and 10.0.23.0/24

 

UserVLAN  172.10.0.0/16 is not included in s2s.

0 Kudos
In response to jay_b
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 9 2022 2:41 PM
‎Mar 9 2022 2:41 PM

Hi ,

 

"As soon as I disable site to site tunnel , client VPN works" this was a good indicator that you were in full tunnel and lan trafic from 172.10.0.0/16 is routed through the S2S. 

 

If thats not the case , do you have a firewall rule to allow the outbound trafic ( on Site B )

0 Kudos
jay_b
Getting noticed
‎Mar 9 2022 2:59 PM
‎Mar 9 2022 2:59 PM

jay_b_1-1646866904127.png

 

 

@RaphaelL This is what I have in tunnel

 

I don't have firewall allow outbound rule traffic on site B. 

0 Kudos
In response to jay_b
RaphaelL
Kind of a big deal
Kind of a big deal
‎Mar 9 2022 3:01 PM
‎Mar 9 2022 3:01 PM

Are you not using auto-vpn between your 2 Meraki products ? I'm so confused...

0 Kudos
jay_b
Getting noticed
‎Mar 9 2022 3:07 PM
‎Mar 9 2022 3:07 PM

Sorry I got wrong screenshot. Ignore that SS.

0 Kudos
jay_b
Getting noticed
‎Mar 9 2022 3:17 PM
‎Mar 9 2022 3:17 PM

@RaphaelL   I think I found solution. There was some old configuration it was blocking it. It's working now. You're absolutely right, S2S shouldn't affect client VPN. Thank you!!

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.