cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

vMX100 in AWS support for Client VPN

Conversationalist

vMX100 in AWS support for Client VPN

Does the vMX100 appliance when deployed in an AWS VPN support Client VPN connections? I can make a Client VPN connection but packets don't seem to be routed to the LAN side. This document does not describe the Client VPN feature: vMX100 Setup Guide for Amazon AWS

If the Client VPN is not currently a supported feature in the vMX100, then the document should mention that, and the UI should remove the Client VPN. I have a feeling Client VPN may not be possible as the vMX100 lacks the Addressing & VLANs page. 

 

BTW: The site-to-site AutoVPN with an on-premises MX250 is working fine, but it would be nice to be able to make direct Client VPN connections to the AWS site. It would also be nice to use the vMX100 as the NAT Gateway for the private side instances. Currently I have to deploy a NAT Gateway since the vMX100 doesn't support this capability.

11 REPLIES 11
Kind of a big deal

Re: vMX100 in AWS support for Client VPN

This topic seems to suggest there is a way to make it work, but you probably need support from the helpdesk for it:

https://community.meraki.com/t5/Security-SD-WAN/vMX-client-VPN-on-AWS/td-p/11947

 

That said, for dedicated client VPN I'd recommend looking at another solution. Client VPN on MX (even the appliance based version) is very limited for now (anyconnect support is on the roadmap but it will probably take some time). Cisco ASAv + Anyconnect may be an option if you need a virtualized solution:

https://www.cisco.com/c/en/us/products/collateral/security/adaptive-security-virtual-appliance-asav/...

 

In any case, reach out to a Cisco Partner or a Meraki SE. They'll be able to support you coming up with the best design.

Kind of a big deal

Re: vMX100 in AWS support for Client VPN

Did you remember to add the client VPN subnet to the AWS route table? 

Conversationalist

Re: vMX100 in AWS support for Client VPN

Yes, although I wouldn't think this should matter. I would expect that the Client VPN NATs the client's address.
Kind of a big deal

Re: vMX100 in AWS support for Client VPN

Client VPN address space is routed not NATed. 

Kind of a big deal

Re: vMX100 in AWS support for Client VPN

Do your AWS security groups allow the client VPN range? 

Conversationalist

Re: vMX100 in AWS support for Client VPN

@PhilipDAth adding the Client VPN subnet range to the private subnet security group fixed problem of accessing instances in the the private subnet. That makes sense since now I understand that the vMX100 isn't NATing the Client VPN clients. Seems like I'll have to use split tunnel in this scenario. 

Kind of a big deal

Re: vMX100 in AWS support for Client VPN

This guide includes a split tunnel configuration.

http://www.ifm.net.nz/cookbooks/meraki-client-vpn.html

Conversationalist

Re: vMX100 in AWS support for Client VPN

Thanks @PhilipDAth . I've been using PowerShell scripts to create the VPN on Windows for a few years now with -SplitTunnel enabled, but I wasn't aware of the Add-Vpnconnectionroute cmdlet. I was using a rather complicated setup where a scheduled task fired when the VPN connection was made in order to add routes using the New-NetRoute cmdlet. Then another scheduled task would run then the VPN connection was disconnected, and the routes would be removed with the Remove-NetRoute cmdlet. I imagine switching to Add-Vpnconnectionroute will be a much cleaner and easier to implement solution.

Kind of a big deal

Re: vMX100 in AWS support for Client VPN

It is a good learning experience to figure it out yourself before someone shows you the easy way.

Here to help

Re: vMX100 in AWS support for Client VPN

Where should it be pointing in the route table?

Here to help

Re: vMX100 in AWS support for Client VPN

When I say pointing which "Target" in AWS should go

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.