Meraki

Community

About Atalanta

Re: Z3 auto-vpn internet access

by in Security & SD-WAN
‎Dec 29 2022 2:00 PM
‎Dec 29 2022 2:00 PM
The MX is in routed mode. There are no static routes defined at all. The default routes on the MX are default quad route for the WAN, going out the WAN interface and the default quad route next-hopped to the Home office over the Meraki vpn. The VPN quad route is the one that is active.    The current configuration on the Z3 is that the home office hub is the ipv4 default route. We removed the source based default routes to try and clean up the route table with so many default routes populating.    For testing and problem isolation purposes, we moved the MX to a DIA connection with a DHCP lease from the ISP. the Z3 is behind a local ISP router so is getting a DHCP lease from the router, which is then nat’d to the ISP IP. The auto VPN is able to negotiate and establish the tunnels.  ... View more

Re: Z3 auto-vpn internet access

by in Security & SD-WAN
‎Dec 29 2022 1:46 PM
‎Dec 29 2022 1:46 PM
The Z3 is running 17.10.2 and the MX is 17.10.  ... View more

Re: Z3 auto-vpn internet access

by in Security & SD-WAN
‎Dec 29 2022 9:51 AM
‎Dec 29 2022 9:51 AM
Yes. We tried that after we weren’t making any progress on the source-based default route. We can see the traffic in the vpn tunnel when looking at the packet-captures, but we don’t see anything on the LAN or WAN. Traceroute out to 8.8.8.8 from the client workstation only hits the local Z3 gateway then gets no replies from anything after that. We can hit local internal resources just fine so that side of the tunnel and routing is working as expected.      ... View more

Z3 auto-vpn internet access

by in Security & SD-WAN
‎Dec 29 2022 8:10 AM
‎Dec 29 2022 8:10 AM
I have a MX68 configured in our home office for client vpn’s for our remote consultants to connect to. We recently purchased a Z3 teleworker gateway to enable our one of our consultants who travels internationally to deploy for a site to site vpn using the Meraki auto-vpn functionality. We configured the Z3 with specific vlan’s for local internet access and for remote access. The remote access vlan’s are intended to go across the vpn tunnel to access resources in the home office, and more importantly, dump out the home office internet connection. We did this using source-based default routes initially, and even eventually converted it all to full tunneling.    The problem we are encountering is that the remove access vlans on the Z3 are not able to reach any internet resources when the auto-vpn tunnel is working.    I need some guidance on getting this sorted out. My consultant is already international and his current location is limiting the support we can get from Cisco directly as we draw down and close out our operations in Russia. ... View more
Labels:
© 2024 Cisco Systems, Inc.