NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
SRX5308 VPN and double WAN
Hello,
So I have a SRX5308 configured with 2 WAN for load balancing. Here's my network :
I want to set up a VPN. I follow different tutorials and it doesn't work. When I open the tunned it's blocked in phase 1 (green). Here's my configuration :
Thanks!
Going back to the network diagram you posted, you mentioned that the two devices connected to the ISPs are switches. I believe these switches are Layer 3 switches which are connected to the WAN ports of the SRX5308. The WAN IP address that is registered on the SRX5308 are Private IP Addresses. With regard to this, I'm afraid it seems that the client-to-box VPN you want to achieve is not possible with your current network setup.
For client-to-box VPN to work, refer to the network setup below as an example:
The local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from the local subnet of the SRX5308. Based from the network diagram you posted, the local network address of the SRX5308 is 192.168.1.0, so the local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from it (from the example above, it should be on 10.10.10.6).
Regards,
DaneA
NETGEAR Community Team
13 Replies
Hi Cercer01,
Welcome to the community! :)
Based from the network diagram you posted, since the SRX5308 is behind another router, you will need to either open ports on the routers to allow VPN connection or connect the SRX5308 to the DMZ ports of the routers to allow VPN access.
Also, on the part that says Local ID and Remote ID on the ProSAFE VPN Client software, it should be like this below:
Local ID: myvpn_remote.com
Remote ID: myvpn_local.com
Regards,
DaneA
NETGEAR Community TeamHi DaneA,
Thank you for your answer. There is no router behind my SRX5308, it's a switch :smileywink:
So I change the Locate and Remote ID and I'm still blocked at phase 1. Maybe the problem is in my VPN policies?
Do I have to change my VPN client IP ?
Also, in the distant network IP I have 192.168.1.1 which is my port number not my network (which is 192.168.1.0). I try with the network IP and it change nothing.
Here's the log :
Spoiler20170712 11:26:17:866 Upgrading configuration...
20170712 11:26:17:866 Reading configuration...
20170712 11:26:17:872 IKEv1 configuration detected
20170712 11:26:17:872 No IKEv2 configuration
20170712 11:26:17:872 Default IKE daemon is removing SAs...
20170712 11:26:17:873 No SSL configuration
20170712 11:26:17:876 Default reinitializing daemon
20170712 11:26:17:973 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) is opening.
20170712 11:26:17:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:22:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:27:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:32:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:37:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:42:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:42:979 Default transport_send_messages: giving up on message 00ECCF80
Going back to the network diagram you posted, you mentioned that the two devices connected to the ISPs are switches. I believe these switches are Layer 3 switches which are connected to the WAN ports of the SRX5308. The WAN IP address that is registered on the SRX5308 are Private IP Addresses. With regard to this, I'm afraid it seems that the client-to-box VPN you want to achieve is not possible with your current network setup.
For client-to-box VPN to work, refer to the network setup below as an example:
The local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from the local subnet of the SRX5308. Based from the network diagram you posted, the local network address of the SRX5308 is 192.168.1.0, so the local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from it (from the example above, it should be on 10.10.10.6).
Regards,
DaneA
NETGEAR Community TeamSorry when you said "SRX5308 is behind another router" I though you were talking about "my network" not the box connected to the ISP. I'm gonna try with 10.10.10.6 local IP.
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
