NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
chiragk11
Nov 23, 2016Aspirant
Restrict User to VLAN after VPN - Not working
Hello,
On SRX5308 I have created a IPSec VPN connection using Mode Config and IKE policy. I am able to VPN in. However, I can access all Subnets - even though I have specified the Subnet as 10.50.10.0 in the Mode Config.
Little background - My setup is multi-tenant. Specific customers need access to their own servers. I have done this by creating different subnet for each customer. This makes sure that Customer A cannot see Customer B servers. We are now adding VPN capability for customers. However I am having difficulty pasing this restriction via VPN. When customer connects by VPN,its as if no VLAN rules are getting applied. In my VLAN settings, the DNS Proxy and InterVLAN routing are disabled in all VLANs.
Please advise...
Here are my settings. In here, I want the connection restricted to 10.50.10.0 subnet only - they should not be able to see other subnets
In the Mode Config I have the Below setting:
Client Pool: | |
Record Name: | modeConfig |
First IP Pool: | 10.50.101.200 - 10.50.101.215 |
Second IP Pool: | - |
Third IP Pool: | - |
Primary WINS Server: | |
Secondary WINS Server: | |
Primary DNS Server: | 10.50.10.1 |
Secondary DNS Server: | |
Traffic Tunnel Security Level: | |
PFS Key Group: | DH Group 2 (1024 bit) |
SA Lifetime: | 3600 |
SA Lifebyte: | 0 |
Encryption Algorithm: | AES-128 |
Integrity Algorithm: | MD5 |
Local Subnet IP Address: | 10.50.10.0 |
Local Subnet Mask: | 255.255.255.0 |
My IKE Policy is:
5 Replies
- chiragk11Aspirant
FYI - I am using Shrew VPN client.
In the Shrew VPN Client, I noticed that if I have the DNS set to 10.50.10.1, then it works as desired.
However if the DNS is left as "automatic", then the entire network is open to the VPN user. so even though the setting above solves the issue, its a huge security hole, and since DNS Automatic is the default setting, we cannot do this.
I need to be able to enforce the DNS to 10.50.10.1 to the VPN user using Mode Config (I suppose)....
Please advise..
- chiragk11Aspirant
Never mind the last post #2. It seemed to work when I first connected, but after a minute, I was able to access entire network - so I back to square 1.
- DaneANETGEAR Employee Retired
Hi chiragk11,
It seems that you are the same person as chirag11. I believe this forum thread is related to this one here.
Let us try this: using 1 IKE policy, create 3 VPN policies that pertains to each VLAN. Do not yet configure mode config record. Let us know your observations and post screenshots of the IKE and VPN policies.
Regards,
DaneA
NETGEAR Community Team
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!