vMX100 in AWS support for Client VPN

JReed
Conversationalist

vMX100 in AWS support for Client VPN

Does the vMX100 appliance when deployed in an AWS VPN support Client VPN connections? I can make a Client VPN connection but packets don't seem to be routed to the LAN side. This document does not describe the Client VPN feature: vMX100 Setup Guide for Amazon AWS

If the Client VPN is not currently a supported feature in the vMX100, then the document should mention that, and the UI should remove the Client VPN. I have a feeling Client VPN may not be possible as the vMX100 lacks the Addressing & VLANs page. 

 

BTW: The site-to-site AutoVPN with an on-premises MX250 is working fine, but it would be nice to be able to make direct Client VPN connections to the AWS site. It would also be nice to use the vMX100 as the NAT Gateway for the private side instances. Currently I have to deploy a NAT Gateway since the vMX100 doesn't support this capability.

11 REPLIES 11
BrechtSchamp
Kind of a big deal

This topic seems to suggest there is a way to make it work, but you probably need support from the helpdesk for it:

https://community.meraki.com/t5/Security-SD-WAN/vMX-client-VPN-on-AWS/td-p/11947

 

That said, for dedicated client VPN I'd recommend looking at another solution. Client VPN on MX (even the appliance based version) is very limited for now (anyconnect support is on the roadmap but it will probably take some time). Cisco ASAv + Anyconnect may be an option if you need a virtualized solution:

https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/...

 

In any case, reach out to a Cisco Partner or a Meraki SE. They'll be able to support you coming up with the best design.

Did you remember to add the client VPN subnet to the AWS route table? 

JReed
Conversationalist

Yes, although I wouldn't think this should matter. I would expect that the Client VPN NATs the client's address.
PhilipDAth
Kind of a big deal
Kind of a big deal

Client VPN address space is routed not NATed. 

Do your AWS security groups allow the client VPN range? 

JReed
Conversationalist

@PhilipDAth adding the Client VPN subnet range to the private subnet security group fixed problem of accessing instances in the the private subnet. That makes sense since now I understand that the vMX100 isn't NATing the Client VPN clients. Seems like I'll have to use split tunnel in this scenario. 

PhilipDAth
Kind of a big deal
Kind of a big deal

This guide includes a split tunnel configuration.

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

JReed
Conversationalist

Thanks @PhilipDAth . I've been using PowerShell scripts to create the VPN on Windows for a few years now with -SplitTunnel enabled, but I wasn't aware of the Add-Vpnconnectionroute cmdlet. I was using a rather complicated setup where a scheduled task fired when the VPN connection was made in order to add routes using the New-NetRoute cmdlet. Then another scheduled task would run then the VPN connection was disconnected, and the routes would be removed with the Remove-NetRoute cmdlet. I imagine switching to Add-Vpnconnectionroute will be a much cleaner and easier to implement solution.

PhilipDAth
Kind of a big deal
Kind of a big deal

It is a good learning experience to figure it out yourself before someone shows you the easy way.

Where should it be pointing in the route table?

When I say pointing which "Target" in AWS should go

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels