Seeking Advice/Guidance on configuring VPN to Ubiquiti USG behind Cisco MX84

jj_inno
Here to help

Seeking Advice/Guidance on configuring VPN to Ubiquiti USG behind Cisco MX84

Summary:

 

I am currently working on setting up some new hardware and re-configuring a network that I am responsible for.

 

The objective is to have an individual VPN into the USG network.

 

The USG is on it's own network behind a Meraki MX84.

 

The USG is connected to the MX84 via a VLAN configured port (configured within the Meraki Dashboard).

 

The USG Network can be accessed when connected to the local network that the Meraki is connected to, and can also be accessed when VPNing to the Meraki,

 

but

 

I seek to allow a user to VPN directly to the USG network through the MX84, without having to VPN to the Meraki first (without having to double VPN).

 

 

Ramblings:

 

I must admit that this is new to me. I have a general understanding of networking, but a lot of this in unfamiliar grounds.

 

On the USG side, there are two settings for a VPN (well, three actually, but one doesn't work with this): Remote VPN and Site-2-site VPN.

 

I have two different thoughts about this,

 

I could setup the USG with a Remote VPN and have those seeking to connect with the USG be pushed/ported through via rules on the Meraki,

 

or

 

I could link the Meraki and USG via a site-2-site VPN connection via a VLAN.

 

 

My Troubles:

 

I'm not sure which is the best approach.

 

Also, all of the VPN clients I have used ask for an IP or Name Server (DNS, Domain Name, why is there no standard?), yet, from my understanding, we, via our ISP, are only given one IP address, and the Meraki itself can be given a Domain Name that matches that IP address (as it is set in the settings of the Dashboard), so I am not sure how a remote user can actually get to the USG via a VPN client if the USG isn't actually visible on the internet.

 

Another thing, once a remote user connects to the Meraki, how does the Meraki know which data to send to the USG VLAN if all the data is coming from one source without anything distinguishing it from the other data? I recognize that there is a chain in the way data moves through routers and the such, but from my position, how am I to tell my simple VPN client "Go to [IP], and THEN go to [IP]."

 

I assume there are rules that can be set within the Meraki that will sort all of this out.

 

I assume I am thinking too hard about this, and/or don't have enough experience.

7 REPLIES 7
PhilipDAth
Kind of a big deal

If the USG uses an IPSec based VPN then you can choose to have EITHER client VPN enabled on the MX, or to NAT udp/500 and UDP/4500 through to the USG.

 

This is because they use the same ports.  You can't have both configs going at the same time.

The USG has a few options for VPN:

* Remote User VPN

* Site-to-Site VPN

* Client VPN

 

Client VPN is not what I need here (I'm pretty sure), and I am not sure which option of the other two I should use.

 

Reading about Site-to-Site I gathered that it allows multiple networks to function/stay connected as one, and I assume I could setup some firewall rules to limit access to the port that the USG is connected to if I decide to use Site-to-Site.

 

Otherwise, I assume Remote User VPN is what I am looking for, with NAT (thank you for informing about that) and some firewall rules.

 

Site-to-Site offers the option for IPsec, but Remote User does not.

 

 

Currently, the Meraki has it's Client VPN enabled so users can access the network remotely, and if I understand you correctly, you are saying that if I want to have a VPN access to the USG, I will have to turn off Client VPN.

 

If I do turn off Client VPN within the Meraki, I assume I could use another device to create another VPN behind the Meraki, similar to the USG, so that both networks can be accessed via their own VPNs.

 

Does that makes sense?

 

Also, I assume I will be using 1:Many NAT rules for this as well.

PhilipDAth
Kind of a big deal

What technology does the USG VPN use?  IPSec?

Yes the site to site VPN options are IPsec or OpenVPN.  

"Remote User" protocols are PPTP and L2TP on the unifi controller

"Client" is PPTP

"Site to Site" is either Auto IPSec VTI, or Manual IPsec (auto ipsec probably only works with all unifi hardware

 

I am kind of confused why OP doesn't use Client VPN on the Meraki device.  If you do setup another VPN (where there's two on your network) I've had best luck with site to site.  It's always on and working, no end user setup or logon needed.    

 

We have about 20 teleworker gateways.  A mix of Z3's and Z1's.  The USG's are kind of trash for using as a router.  Lots of people have said that and they've come a long way, but still far from Meraki and PFsense

Thank you for answering @PhilipDAth 's question!

 

I apologize I didn't respond any sooner to these; holidays touch my attention away.

 

The Client VPN is turned on in the Meraki, and it can be VPNed to, but we want to be able to VPN to the Meraki, and VPN to the USG, without first having to connect/VPN to the Meraki;

 

We effectively want two separate VPN networks under one Internet IP (we only have one IP assigned/running to us).

 

If I am correct, and this took a bit for me to find, I think I read that that is possible if we turn off the Client VPN on the Meraki and use the 1:MANY NAT rules (I think, but I just came across it and am still attempting to understand it and the rules behind it, and how to set it up). If this is correct, then I think I need to setup a second network behind the Meraki that will act as the substitute for the Client VPN that was turned off (to start using the 1:MANY rules).

 

I hope that makes sense. 🙂

AIOtech
Conversationalist

If you only have one IP then regular port forwarding rules would do the same thing you're trying to do with the 1:Many NAT if i'm understanding you correctly?  The difference between regular port forwards and 1:Many NAT is being able to specify a different Public IP than what your primary WAN is.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels