For the MX to include IP addresses in its encryption domain it has to have them as either directly connected layer 3 interfaces or static routes. In your case they would have to be static routes - for the two web sites you want to be accessible. However you can not add a static route via a WAN interface. Consequently you can add them into the MX encryption domain. Consequently you wont be able to build an SA with the MX that includes those two public IP addresses on its side. I can not think of way you will be able to get this to work using only the kit mentioned. You would need a proxy server or something similar at the MX site to make this work. A trip I have used in the past is using the TCP port forward option in Windows server. You configure a server at the MX site to forward a port from its LAN IP address to the remote web site. Then create a hosts entry on your clients machine pointing at that server. The other option is to use the "Meraki" VPN client where it is doing a full tunnel.
... View more
Lets clarify. WAN1 = All other traffic WAN2 = Client VPN traffic For clients to connecting to WAN2 on the MX from the outside world, you would have use static IP (or meraki dynamic dns name) of the connection that you'd like clients to connect to the connection address. There is no way to make incoming INTERNET connections prefer a wan connection. For outbound traffic to client, make a traffic shaping rule that forces "any traffic" to "CLIENT VPN SUBNET" prefers WAN2. By doing this you have no fail-over for VPN clients, but you have achieved what you are trying to achieve. T-800
... View more