Re: Create multiple Client VPN for Multiple Network

Siemmina · ‎09-02-2020

Hello Comunity,

I was wondering if it is possible to create multiple client VPN for different Tenants or Networks on Meraki.

I've two Network Lab for two different Tenant and a Firewall Meraki MX84, I would like to create two client VPN each one can reach only it's own Lab Network without access to the other's network.

Thank you in advance.

ww^ · ‎09-02-2020

You can only have 1 vpn subnet.

Do you mean you have 1 mx and 2 vlans?

You can do some fw rules using group policies, read this https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/td-p/18637

Or do you have 2 networks with 2 mx?

Siemmina · ‎09-02-2020

Hello ww,

thank you for your answer, Yes I've one MX and two different networks or site (each network has its VLANs), if the Meraki can let me create only one Subnet Client VPN, how can differentiate that a client can access to one network and not the other?

ww^ · ‎09-02-2020

Using different group policies for different users. Its mentioned here and also the limitations https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/td-p/18637

https://documentation.meraki.com/zGeneral_Administration/Cross-Platform_Content/Creating_and_Applying_Group_Policies

Siemmina · ‎09-03-2020

Hello ww,

Thank you for the link, I tried to create a Group Policy to limit the access and I applied it to a VPN Client, but it seems that it doesn't work. it ignores the policy.

Furthermore, I read carefully the following post that you shared https://community.meraki.com/t5/Security-SD-WAN/Feature-Request-Apply-group-policies-to-Client-VPN/td-p/18637

and it says that it's not possible to apply the Group policies for the Client VPN,

please find attached the comment...Is there anyway we can do that?

"

Hi @jeremiahmiller

There is no workaround to apply different Group policies on Client VPN users as of today. Can I ask you to use the dashboard "Make a wish" section to add this request I think its valid request and by using make a wish section will help our product and engineering teams to consider these new enhancements.

"

Karsten Iwen · ‎09-02-2020

Actually, the possibilities are highly limited here. The traffic from VPN-clients is subject to the L3 firewall, but for your use-case, you would need differentiated access. And as we can not apply group-policies via RADIUS for VPN-users as it is possible with wireless users, all clients are treated the same.

I really hope for more possibilities with the coming AnyConnect support.

How do I solve this problem? Nearly all my Meraki implementations have an additional ASA for all Client- and external S2S VPNs. A cheap Firepower 1010 is very often enough here.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

Siemmina · ‎09-02-2020

Hello Karstenl,

Thank you for your reply, I'm new on Meraki's world, but do you think that I can add a virtual FMC and FTD that could be managed by Meraki Cloud?

Karsten Iwen · ‎09-02-2020

Not the way that you have an FMC and FTP managed by the Meraki-Cloud. For having *one* cloud-managed solution, the Cisco Defense Orchestrator (CDO) is the Cisco solution. But it is likely that it does not fit your needs (yet). But you still can manage the FTD/ASA locally. Yes, I also do not really like that, but for now, it is IMO the only usable way.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.