Orbi WiFi 7 RBE973

Can't acces some servers through VPN

R-v-E
Tutor

Can't acces some servers through VPN

Hi,

 

I have 2 SRX5308 with a working site to site VPN connection.

Site 1 is the main office with a terminal server (192.168.20.1) etc.

Site 2 is a small office with one client PC (192.168.40.100), printer (192.168.40.102) and a building management system (192.168.40.200). This system has a small webserver to controll the system.

 

I can acces the terminal server through the VPN. I can ping the printer on site 2 from site 1. I can ping the client PC and both Firewalls.

Everything is working great.

 

I can't however acces the webserver on site 2 from site 1. 

The webserver works on the local client pc. I can ping the webserver from the client pc on site 2. But I can't ping the webserver from site 1.

 

I've added screenshots of the settings from both sites.

 

Firmware 1: 4.3.3-8

Firmware 2: 4.3.4-1

 

Do I need to add something in the firewall?

 

Thanx!

 

VPN Site 1.png

IPSEC Site 1.png

VPN Site 2.png

IPSEC Site 2.png

 

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 10
DaneA
NETGEAR Employee Retired

Re: Can't acces some servers through VPN

Hi R-v-E,

 

Welcome to the community! 🙂 

 

It seems that the IKE / VPN policies are properly configured.  Kindly answer the questions below:

 

a. Are there VLANs configured on site 2?  If yes, on what VLAN is the webserver a part of? 

b. Is the IP address configured on the webserver a static IP address?  Kindly check the IP Address details of it.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 10
DaneA
NETGEAR Employee Retired

Re: Can't acces some servers through VPN

Hi R-v-E,

 

I have just reviewed again the screenshots you have posted and it seems that I have overlooked at site2.   There is an error in the site2 IKE policy. Please check the screenshot below. Kindly add a VPN policy via the IPsec VPN Wizard and enter the correct Local WAN1 IP address.

 

 

Let us know the results.  I look forward to your response. 

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 3 of 10
R-v-E
Tutor

Re: Can't acces some servers through VPN

@DaneA

The ISP on site 2 only offers VDSL with a FritzBox (modem and router). I can't use a diffrent modem. Therefore the Wan IP adress is the one you see in the picture.

 

So the situation is: ISP --> Modem / Router --> SRX5308 --> PC, printer, webserver

                                                                       --> Public Wifi via guest network

 

The router has VPN/IPSEC passthrough.

All IP's are fixed. No DHCP is used.

 

Site 1 has some VLans but those are for Guests and other stuff. Not in use by me.

Everything works, except the webserver.

 

Greetings,

 

Message 4 of 10
DaneA
NETGEAR Employee Retired

Re: Can't acces some servers through VPN

Hi R-v-E,

 

I suggest you to check the default gateway on the web server.  Double-check it whether if that is incorrect or not present at all because this would prevent the web server from replying back over the VPN.

 

Also, as I have pointed out from the VPN policies (check the screenshot from my previous response) that it has LAN IP on the WAN IP Identifier, you have a double NAT scenario since SRX5308 is not the main router.  I suggest you to use FQDN as both the identifiers in the IKE policy and not the LAN IP.  

 

Let us know the results after making the changes as suggested.

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 5 of 10
DaneA
NETGEAR Employee Retired

Re: Can't acces some servers through VPN

Hi R-v-E,

 

I just want to follow-up on this.  Were you able to perform the changes I have suggested?  If yes, what are your observations?

 


Regards,

 

DaneA

NETGEAR Community Team
 

Message 6 of 10
R-v-E
Tutor

Re: Can't acces some servers through VPN

Hi,

 

I'll be on site later this week. I'll keep you updated.

 

Greetings

 

Message 7 of 10
DaneA
NETGEAR Employee Retired

Re: Can't acces some servers through VPN

Hi R-v-E,

 

I just want to follow-up on this again.  Were you able to perform the changes I have suggested?  If yes, what are your observations?

 


Regards,

 

DaneA

NETGEAR Community Team

Message 8 of 10
R-v-E
Tutor

Re: Can't acces some servers through VPN

Hi DaneA,

 

The Default gateway on the webserver is 192.168.40.5

 

I changed the LAN IP on the WAN IP identifier to FQDN. 

But still no acces to the webserver.

 

The printer on site 2 has a build in webserver. I can acces this webserver. I think the problem isn't in de VPN configuration but I have no idea where to look next.

 

I will try to forward the port and see if I can acces the webserver just by forwarding the ports.

 

Greetings.

Message 9 of 10
DaneA
NETGEAR Employee Retired

Re: Can't acces some servers through VPN

Hi R-v-E,

 

I just want to follow-up.  Were you able to access the web server by configuring port forwarding?

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 10 of 10
Discussion stats
  • 9 replies
  • 4879 views
  • 0 kudos
  • 2 in conversation
Announcements