NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
chiragk11
Nov 23, 2016Aspirant
Accessing specific VLAN after VPN based on user
Hello
I have an SRX 5308. I have 3 VLANs defined.
Default = 192.168.3.1
VLAN10 = 10.50.10.1
VLAN20 = 10.50.20.1
I need to define IPSec VPN, such that when user1 logs in, he gets the Default VLAN.
When user2 logs in, he gets VLAN10 and user3 gets VLAN20.
I was able to create an IKE Policy and Mode Config to get into Default VLAN. When I login as user1, I can get access to all Default VLAN resources - so this works as desired.
So I created a similar setup created a new Mode Config - and here I set different IP range in mode config - I even tried copying exact same DNS and IP info (not the range as it would not allow 2 mode config with same IP range)
Here are the screen shots. First 2 are the IKE policy and Mode Config that work.
Second two are the ones that dont work.
FYI - I am using Shrew VPN client
My VPN log seems to show this with the policy that does not work.
I have created identical profiles (except the FQDN and shared key), I am at a loss....
Please advise...
Wed Nov 23 08:53:53 2016 (GMT +0000): [SRX5308] [IKE] ERROR: Ignore information because ISAKMP-SA has not been established yet.
Wed Nov 23 08:53:43 2016 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 36460 and total length 40.
IN THE BELOW MODE CONFIG, I HAVE TRIED TO CHANGE THE DNS and LOCL PRIMARY to various values (VLAN ip, router ip etc), but none seems to work
4 Replies
- DaneANETGEAR Employee Retired
Hi chiragk11,
Kindly try to use the VPN Wizard on the SRX5308 to create both IKE and VPN policies for each VLAN.
Let us know the results.
Regards,
DaneA
NETGEAR Community Team
- chirag11Aspirant
I did try the VPN Wizard. But the configuration it created to start did not even let me connect.
Can you help provide some details on what values to set if I want to allow - any remote IP, using the User database, and allow access to specific vlan - say 10.50.10.0, AND Specifically disallow access to 10.50.20.0
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!