NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
IPSEC VPN Issue with the SRX5308
Hi guys,
We are trying to use the NetGear SRX5308 as a VPN solution to connect to our server network. We have SSL VPN working but are having trouble with IPSEC.
I should note that the NetGear firewall is not the primary gateway in the network. We have a SonicWall for that.
This (roughly) is our network topology: http://i.imgur.com/JQncC06.jpg
This is the IKE policy: http://i.imgur.com/ZK3PJnT.png
and the Mode Config: http://i.imgur.com/ZK3PJnT.png
In words, our server IPV4 network is 10.10.0.0/16. The netgear LAN is configured on 10.10.1.0/24. The device is reachable on the LAN by others in the 10.10.1.0/24 range. IPSEC VPN Mode config range is 10.10.6.0/24.
- Problem; we can connect with the client but don't have access the LAN (we DO have access to the WAN and can route other internet traffic through the tunnel).
Things we have already tried:
1. setting the LAN to 10.10.0.0/16 and Mode Config to 10.21.1.0/24, however now the packets are being dropped by the sonic wall (the gateway device), as the range (10.21.1.0/24) is not known.
2. Setting LAN to 10.10.0.0/16 with a mode config range inside this range will not work (as per documentation). Btw his DOES work with SSL VPN (which we use in this way).
If any of you have any suggestions I would be very gratefull,
Merlijn (using an account of a collegue registered to the device)
We are trying to use the NetGear SRX5308 as a VPN solution to connect to our server network. We have SSL VPN working but are having trouble with IPSEC.
I should note that the NetGear firewall is not the primary gateway in the network. We have a SonicWall for that.
This (roughly) is our network topology: http://i.imgur.com/JQncC06.jpg
This is the IKE policy: http://i.imgur.com/ZK3PJnT.png
and the Mode Config: http://i.imgur.com/ZK3PJnT.png
In words, our server IPV4 network is 10.10.0.0/16. The netgear LAN is configured on 10.10.1.0/24. The device is reachable on the LAN by others in the 10.10.1.0/24 range. IPSEC VPN Mode config range is 10.10.6.0/24.
- Problem; we can connect with the client but don't have access the LAN (we DO have access to the WAN and can route other internet traffic through the tunnel).
Things we have already tried:
1. setting the LAN to 10.10.0.0/16 and Mode Config to 10.21.1.0/24, however now the packets are being dropped by the sonic wall (the gateway device), as the range (10.21.1.0/24) is not known.
2. Setting LAN to 10.10.0.0/16 with a mode config range inside this range will not work (as per documentation). Btw his DOES work with SSL VPN (which we use in this way).
If any of you have any suggestions I would be very gratefull,
Merlijn (using an account of a collegue registered to the device)
4 Replies
- Read my Mode Config tutorial. Use the FQDNs listed there.
http://i.imgur.com/JQncC06.jpg
Probably not reading the diagram wrong but isn't both WAN of router are going VLAN2 and Both LAN is on VLAN1?
So if you are terminating the VPN on SRX how does sonic wall will flag it ?- You are reading it right. The idea was that even in case the sonicwall goes down we could still have access to the server network through VPN.
But if this is not going to work we could add another LAN (different subnet) to the sonic walls configuration and use that to enter the network.
So, for example
L1 - 10.10.0.0/16 - our server network
L2 - 10.21.1.0/24 - network between sonicwall & SRX5308
L3 - 10.21.2.0/24 - client VPN subnet
The thing is, in the sonic wall config the vpn range L3 must be INSIDE L2 (otherwise it drops the packets) and on the netgear it must be OUTSIDE. But I guess this this can work out with an assymetric configuration.
We will also need a static route for L1 on the netgear and I'm not sure this is going to work in combination with IPSEC. Will it? - We solved this BTW. All we needed to do was add a static route on the sonic wall to the SRX5308 for the IPSEC network.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
