Restrict User to VLAN after VPN - Not working

Question

Hello,&nbsp;On SRX5308 &nbsp;I have created a IPSec VPN connection using Mode Config and IKE policy. I am able to VPN in. However, I can access all Subnets - even though I have specified the Subnet as 10.50.10.0 in the Mode Config.&nbsp;Little background - My setup is multi-tenant. Specific customers need access to their own servers. I have done this by creating different subnet for each customer. This makes sure that Customer A cannot see Customer B servers. We are now adding VPN capability for customers. However I am having difficulty pasing this restriction via VPN. When customer connects by VPN,its as if no VLAN rules are getting applied. In my VLAN settings, the DNS Proxy and InterVLAN routing are disabled in all VLANs.&nbsp;&nbsp;Please advise...&nbsp;&nbsp;Here are my settings. In here, I want the connection restricted to 10.50.10.0 subnet only - they should not be able to see other subnets&nbsp;In the Mode Config I have the Below setting:&nbsp;&nbsp;Client Pool:&nbsp;Record Name:modeConfigFirst IP Pool:10.50.101.200 - 10.50.101.215Second IP Pool:-Third IP Pool:-Primary WINS Server:&nbsp;Secondary WINS Server:&nbsp;Primary DNS Server:10.50.10.1Secondary DNS Server:&nbsp;&nbsp;&nbsp;Traffic Tunnel Security Level:&nbsp;PFS Key Group:DH Group 2 (1024 bit)SA Lifetime:3600SA Lifebyte:0Encryption Algorithm:AES-128Integrity Algorithm:MD5Local Subnet IP Address:10.50.10.0Local Subnet Mask:255.255.255.0&nbsp;&nbsp;My IKE Policy is:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;

chiragk11 · Answer

FYI - I am using Shrew VPN client.&nbsp;In the Shrew VPN Client, I noticed that if I have the DNS set to 10.50.10.1, then it works as desired.&nbsp;However if the DNS is left as "automatic", then the entire network is open to the VPN user. so even though the setting above solves the issue, its a huge security hole, and since DNS Automatic is the default setting, we cannot do this.&nbsp;I need to be able to enforce the DNS to 10.50.10.1 to the VPN user using Mode Config (I suppose)....&nbsp;Please advise..

chiragk11 · Answer

Never mind the last post #2. It seemed to work when I first connected, but after a minute, I was able to access entire network - so I back to square 1.&nbsp;

DaneA · Answer

Hi&nbsp;chiragk11,

&nbsp;

It seems that you are the same person as&nbsp;chirag11. &nbsp;I believe this forum thread is related to this one&nbsp;here. &nbsp;

&nbsp;

Let us try this:&nbsp;using 1 IKE policy, create 3 VPN policies that pertains to each VLAN. &nbsp;Do not yet configure mode config record. &nbsp;Let us know your observations and post screenshots of the IKE and VPN policies.

&nbsp;

Regards,

&nbsp;

DaneA

NETGEAR Community Team

DaneA · Answer

Hi&nbsp;chiragk11,

&nbsp;

Just to add, to possibly&nbsp;set the VPN to access only a specific VLAN other than the default VLAN,&nbsp;the setting for this to work is in the VPN Policy under Traffic Selection. &nbsp;By default, when creating the policy using the VPN wizard, &nbsp;it will use the IP address of the default VLAN. &nbsp;However, if you change this to the network address of the desired VLAN, it will allow access to that VLAN through the VPN. &nbsp;Inter VLAN routing must be turned off in the VLAN settings if the desired effect is to not be able to access other VLAN’s.

&nbsp;

On the figure below, &nbsp;from the working policy; note that 192.168.245.0 is the network address of the&nbsp;secondary VLAN and not the LAN IP address of the default VLAN. &nbsp;Also note, Mode Config is not being used. &nbsp;Just use&nbsp;the VPN wizard on both the SRX5308 on each side. &nbsp;

&nbsp;

Regards,

&nbsp;

DaneA

NETGEAR Community Team

DaneA · Answer

Hi&nbsp;chiragk11,

&nbsp;

I just want to follow-up on this. &nbsp;Referring on my last reply, were you able to try it? &nbsp;If yes, what are your observations?&nbsp;

&nbsp;

Regards,

&nbsp;

DaneA

NETGEAR Community Team

Forum Discussion

Restrict User to VLAN after VPN - Not working

5 Replies

Related Content

Restrict Management access not working

Restrict DHCP?

RAX36S Guest Network port restrictions

netdata NT not working

time restrictions

NETGEAR Academy

ProSupport for Business

Client Pool:
Record Name:	modeConfig
First IP Pool:	10.50.101.200 - 10.50.101.215
Second IP Pool:	-
Third IP Pool:	-
Primary WINS Server:
Secondary WINS Server:
Primary DNS Server:	10.50.10.1
Secondary DNS Server:

Traffic Tunnel Security Level:
PFS Key Group:	DH Group 2 (1024 bit)
SA Lifetime:	3600
SA Lifebyte:	0
Encryption Algorithm:	AES-128
Integrity Algorithm:	MD5
Local Subnet IP Address:	10.50.10.0
Local Subnet Mask:	255.255.255.0