Orbi WiFi 7 RBE973
Reply

Accessing specific VLAN after VPN based on user

chiragk11
Aspirant

Accessing specific VLAN after VPN based on user

Hello 

 

I have an SRX 5308. I have 3 VLANs defined.

Default = 192.168.3.1

VLAN10 = 10.50.10.1

VLAN20 = 10.50.20.1

 

I need to define IPSec VPN, such that when user1 logs in, he gets the Default VLAN.

When user2 logs in, he gets VLAN10 and user3 gets VLAN20.

 

I was able to create an IKE Policy and Mode Config to get into Default VLAN. When I login as user1, I can get access to all Default VLAN resources - so this works as desired.

 

So I created a similar setup created a new Mode Config - and here I set different IP range in mode config - I even tried copying exact same DNS and IP info (not the range as it would not allow 2 mode config with same IP range)

Here are the screen shots. First 2 are the IKE policy and Mode Config that work.

Second two are the ones that dont work.

 

FYI - I am using Shrew VPN client

 

 

My VPN log seems to show this with the policy that does not work.

I have created identical profiles (except the FQDN and shared key), I am at a loss....  

Please advise...

 

Wed Nov 23 08:53:53 2016 (GMT +0000): [SRX5308] [IKE] ERROR: Ignore information because ISAKMP-SA has not been established yet.
Wed Nov 23 08:53:43 2016 (GMT +0000): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 36460 and total length 40.

 

 

 

a3.PNG

a2.PNG

 

 

a4.PNG

 

 

 

IN THE BELOW MODE CONFIG, I HAVE TRIED TO CHANGE THE DNS and LOCL PRIMARY to various values (VLAN ip, router ip etc), but none seems to work

 

a1.PNG

 

 

Message 1 of 5
DaneA
NETGEAR Employee Retired

Re: Accessing specific VLAN after VPN based on user

Hi chiragk11,

 

Kindly try to use the VPN Wizard on the SRX5308 to create both IKE and VPN policies for each VLAN.  

 

Let us know the results. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 5
chirag11
Aspirant

Re: Accessing specific VLAN after VPN based on user

I did try the VPN Wizard. But the configuration it created to start did not even let me connect.

 

Can you help provide some details on what values to set if I want to allow - any remote IP, using the User database, and allow access to specific vlan - say 10.50.10.0, AND Specifically disallow access to 10.50.20.0 

 

 

Message 3 of 5
DaneA
NETGEAR Employee Retired

Re: Accessing specific VLAN after VPN based on user

Hi chirag11,

 

It seems that you are the same person as chiragk11.  I have posted a new response on the post here.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 4 of 5
DaneA
NETGEAR Employee Retired

Re: Accessing specific VLAN after VPN based on user

Hi chirag11,

 

I just want to follow-up.  Were you able to access and read my response on the link I've provided?  If yes, were you able to try it?  If ever you were able to try it, kindly share the results. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 5 of 5
Discussion stats
  • 4 replies
  • 4147 views
  • 0 kudos
  • 3 in conversation
Announcements