SRX5308 Only two IPSEC Channels working over same IKE

Question

Hello,&nbsp;I have configured two SRX5308 (R1, R2) to connect over a IKE Channel&nbsp;(IKE1).&nbsp;This channel were used by three IP-Sec Channels (IPSEC1 - IPSEC3).&nbsp;All Channels are configured with the same subnet on R1 side and different subnets on R2 side. Anything else are common configured.&nbsp;As soon as I enabled the IPSec Channels, two channels are up and one not. If I disabled and reenabled the channels, sometimes two other channels up and one not.Summary I mean: Maximum two random channels are up.&nbsp;Is the SRX5308 limited to two IPSECs per IKE Channel?&nbsp;&nbsp;Best regards&nbsp;

DaneA · Answer

Hi&nbsp;MBau,

&nbsp;

Welcome to the community! :)&nbsp;

&nbsp;

Kindly post a .img or .png image of your detailed network diagram as well as the settings you have configured on both SRX5308.&nbsp;

&nbsp;

What is the current firmware version of both SRX5308?

&nbsp;

Regards,

&nbsp;

DaneA

NETGEAR Community Team

MBau · Answer

Hello DaneA,&nbsp;thank you for your fast reply.&nbsp;Here´s a simplified image. Through one IKE Tunnel should routed three IPSec Tunnels with different subnets.&nbsp;&nbsp;Following the full detailed image to show the real wireing.&nbsp;Most routers don´t (or didn´t) support routing from vpn to vpn. And if they do, debugging is nearly not possible. So our department build up a IKE Connections to a separeted Router behind the main router realized with destination NAT (Portforwarding on matching source IP). Now it is possible to route to customer VPNs usinge a transfer network.It works! But only with two of three IPSEC Tunnels.&nbsp;With two random tunnels! Sometimes tunnel&nbsp;one and two. Sometime tunnel two and three.&nbsp;&nbsp;Best regards&nbsp;P.S: Firmware:&nbsp;4.3.4-2IKE: Preshared Key - Aggressive - AES256 - SHA1 - DH5 - 28800s Lifetime - DPD onIPSEC: &nbsp; AES256 - SHA1 - DH5 - 3600s

DaneA · Answer

MBau,
&nbsp;
I have inquired your concern to a higher tier of NETGEAR Support. &nbsp;On the&nbsp;SRX5308, 125 IPSec VPN policies can run concurrently using the same IKE policy, but the remote endpoint should be same for all IPSec VPN policies using the same IKE policy. &nbsp;
&nbsp;
Kindly check&nbsp;that all remote endpoint are the same for all IPSec VPN policies. &nbsp;Also, when&nbsp;one of the policies does not connect, kindly provide the VPN logs relating to this policy to be reviewed.
&nbsp;
&nbsp;
Regards,
&nbsp;
DaneA
NETGEAR Community Team

JohnRo · Answer

Hi MBau,&nbsp;
&nbsp;
We’d greatly appreciate hearing your feedback letting us know if the information we provided has helped resolve your issue or if you need further assistance.
If your issue is now resolved we encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The Netgear community looks forward to hearing from you and being a helpful resource in the future!
&nbsp;
Thanks,

DaneA · Answer

@MBau,

&nbsp;

I just want to follow-up on this. &nbsp;We’d greatly appreciate your feedback.

&nbsp;

Regards,

&nbsp;

DaneA

NETGEAR Community Team

Forum Discussion

SRX5308 Only two IPSEC Channels working over same IKE

7 Replies

Related Content

SRX5308 Multi-homing working strangely

Bridge 2 Networks with SRX5308 Help

Missing 5Ghz Channels

Xr500 configure channels

Nighthawk AC1900 5GHz Channel stopped working

NETGEAR Academy

ProSupport for Business