NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

chiragk11's avatar
chiragk11
Aspirant
Nov 23, 2016

Accessing specific VLAN after VPN based on user

Hello 

 

I have an SRX 5308. I have 3 VLANs defined.

Default = 192.168.3.1

VLAN10 = 10.50.10.1

VLAN20 = 10.50.20.1

 

I need to define IPSec VPN, such that when user1 logs in, he gets the Default VLAN.

When user2 logs in, he gets VLAN10 and user3 gets VLAN20.

 

I was able to create an IKE Policy and Mode Config to get into Default VLAN. When I login as user1, I can get access to all Default VLAN resources - so this works as desired.

 

So I created a similar setup created a new Mode Config - and here I set different IP range in mode config - I even tried copying exact same DNS and IP info (not the range as it would not allow 2 mode config with same IP range)

Here are the screen shots. First 2 are the IKE policy and Mode Config that work.

Second two are the ones that dont work.

 

FYI - I am using Shrew VPN client

 

 

My VPN log seems to show this with the policy that does not work.

I have created identical profiles (except the FQDN and shared key), I am at a loss....  

Please advise...

 

Wed Nov 23 08:53:53 2016 (GMT +0000): [SRX5308] [IKE] ERROR: Ignore information because ISAKMP-SA has not been established yet.
Wed Nov 23 08:53:43 2016 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 36460 and total length 40.

 

 

 

a3.PNG

a2.PNG

 

 

a4.PNG

 

 

 

IN THE BELOW MODE CONFIG, I HAVE TRIED TO CHANGE THE DNS and LOCL PRIMARY to various values (VLAN ip, router ip etc), but none seems to work

 

a1.PNG

 

 

4 Replies

  • DaneA's avatar
    DaneA
    NETGEAR Employee Retired

    Hi chiragk11,

     

    Kindly try to use the VPN Wizard on the SRX5308 to create both IKE and VPN policies for each VLAN.  

     

    Let us know the results. 

     

     

    Regards,

     

    DaneA

    NETGEAR Community Team

    • chirag11's avatar
      chirag11
      Aspirant

      I did try the VPN Wizard. But the configuration it created to start did not even let me connect.

       

      Can you help provide some details on what values to set if I want to allow - any remote IP, using the User database, and allow access to specific vlan - say 10.50.10.0, AND Specifically disallow access to 10.50.20.0 

       

       

      • DaneA's avatar
        DaneA
        NETGEAR Employee Retired

        Hi chirag11,

         

        It seems that you are the same person as chiragk11.  I have posted a new response on the post here.

         

         

        Regards,

         

        DaneA

        NETGEAR Community Team

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More