SRX5308 VPN and double WAN

Cercer01 · ‎2017-07-11

Hello,

So I have a SRX5308 configured with 2 WAN for load balancing. Here's my network :

I want to set up a VPN. I follow different tutorials and it doesn't work. When I open the tunned it's blocked in phase 1 (green). Here's my configuration :

Thanks!

DaneA · ‎2017-07-12

@Cercer01,

Going back to the network diagram you posted, you mentioned that the two devices connected to the ISPs are switches. I believe these switches are Layer 3 switches which are connected to the WAN ports of the SRX5308. The WAN IP address that is registered on the SRX5308 are Private IP Addresses. With regard to this, I'm afraid it seems that the client-to-box VPN you want to achieve is not possible with your current network setup.

For client-to-box VPN to work, refer to the network setup below as an example:

The local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from the local subnet of the SRX5308. Based from the network diagram you posted, the local network address of the SRX5308 is 192.168.1.0, so the local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from it (from the example above, it should be on 10.10.10.6).

Regards,

DaneA
NETGEAR Community Team

View solution in original post

DaneA · ‎2017-07-12

Hi Cercer01,

Welcome to the community! 🙂

Based from the network diagram you posted, since the SRX5308 is behind another router, you will need to either open ports on the routers to allow VPN connection or connect the SRX5308 to the DMZ ports of the routers to allow VPN access.

Also, on the part that says Local ID and Remote ID on the ProSAFE VPN Client software, it should be like this below:

Local ID: myvpn_remote.com

Remote ID: myvpn_local.com

Regards,

DaneA
NETGEAR Community Team

Cercer01 · ‎2017-07-12

Hi DaneA,

Thank you for your answer. There is no router behind my SRX5308, it's a switch

So I change the Locate and Remote ID and I'm still blocked at phase 1. Maybe the problem is in my VPN policies?

Cercer01 · ‎2017-07-12

Do I have to change my VPN client IP ?

Also, in the distant network IP I have 192.168.1.1 which is my port number not my network (which is 192.168.1.0). I try with the network IP and it change nothing.

Here's the log :

Spoiler

20170712 11:26:17:866 Upgrading configuration...
20170712 11:26:17:866 Reading configuration...
20170712 11:26:17:872 IKEv1 configuration detected
20170712 11:26:17:872 No IKEv2 configuration
20170712 11:26:17:872 Default IKE daemon is removing SAs...
20170712 11:26:17:873 No SSL configuration
20170712 11:26:17:876 Default reinitializing daemon
20170712 11:26:17:973 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) is opening.
20170712 11:26:17:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:22:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:27:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:32:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:37:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:42:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]
20170712 11:26:42:979 Default transport_send_messages: giving up on message 00ECCF80

20170712 11:26:17:866 Upgrading configuration...20170712 11:26:17:866 Reading configuration...20170712 11:26:17:872 IKEv1 configuration detected20170712 11:26:17:872 No IKEv2 configuration20170712 11:26:17:872 Default IKE daemon is removing SAs...20170712 11:26:17:873 No SSL configuration20170712 11:26:17:876 Default reinitializing daemon20170712 11:26:17:973 Default (SA Ikev1Gateway-Ikev1Tunnel-P2) is opening.20170712 11:26:17:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]20170712 11:26:22:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]20170712 11:26:27:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]20170712 11:26:32:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]20170712 11:26:37:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]20170712 11:26:42:977 Default (SA Ikev1Gateway-P1) SEND phase 1 Aggressive Mode [SA] [KEY_EXCH] [NONCE] [ID] [VID] [VID] [VID] [VID] [VID]20170712 11:26:42:979 Default transport_send_messages: giving up on message 00ECCF80

DaneA · ‎2017-07-12

@Cercer01,

Going back to the network diagram you posted, you mentioned that the two devices connected to the ISPs are switches. I believe these switches are Layer 3 switches which are connected to the WAN ports of the SRX5308. The WAN IP address that is registered on the SRX5308 are Private IP Addresses. With regard to this, I'm afraid it seems that the client-to-box VPN you want to achieve is not possible with your current network setup.

For client-to-box VPN to work, refer to the network setup below as an example:

The local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from the local subnet of the SRX5308. Based from the network diagram you posted, the local network address of the SRX5308 is 192.168.1.0, so the local IP address of the Remote PC or laptop where the ProSAFE VPN Client software is installed should be different from it (from the example above, it should be on 10.10.10.6).

Regards,

DaneA
NETGEAR Community Team

Cercer01 · ‎2017-07-12

Sorry when you said "SRX5308 is behind another router" I though you were talking about "my network" not the box connected to the ISP. I'm gonna try with 10.10.10.6 local IP.

DaneA · ‎2017-07-12

@Cercer01,

The 10.10.10.6 local IP address that I mentioned on previous response is just an example. Just for clarification and before you make some changes, kindly answer the questions below:

a. Based from the network diagram you posted, what are the devices connected to the ISP which are connected to the SRX5308? Are they Layer 3 switches or routers? What is the brand and model of it?

b. What is the current local IP address of the PC / laptop you are using where the ProSAFE VPN Client software is installed?

c. What is the current firmware version of the SRX5308?

Regards,

DaneA

NETGEAR Community Team

Cercer01 · ‎2017-07-13

@DaneA

a. In France this device is called a "box" it's an all-in-one device which include internet, telephone, router, firewall, ...

b. It was 192.168.1.60 this is why I change the IP for 10.10.10.6 to have a different network.

c. 4.3.1-22

DaneA · ‎2017-07-13

@Cercer01,

Since you mentioned that the 'boxes' between the ISPs and SRX5308 are all-in-one devices which includes internet, telephone, router & firewall; then its confirmed that the SRX5308 is behind another router/firewall. Like what I have previously replied unto you, you will need to do either of the following:

a. Open ports on the 'box' to allow VPN connection.

b. Connect the SRX5308 to the DMZ ports of the 'box' to allow VPN access.

c. If a & b above still does not work, set the 'box' to full-bridge mode so that the Public WAN IP Address will be registered to the SRX5308. Kindly refer again to the network diagram from my recent response.

Kindly access the articles below and use it as your reference guide:

ProSAFE VPN Client: Client to Box Configuration

Configure an IPv4 IPSec VPN Connection between a Gateway and a Client - read pages 8-15

Also, I suggest that you upgrade the firmware of the SRX5308 to the latest v4.3.5-3. You can download firmware version 4.3.5-3 here. Be reminded to reset the SRX5308 back to factory defaults after upgrading the firmware then reconfigure it from scratch in order to start clean using the latest firmware version.

Regards,

DaneA

NETGEAR Community Team

Cercer01 · ‎2017-07-14

@DaneA

Thank you very much for your answer. I still have questions.

About the VPN policies, in local I have 192.168.1.1 (the VPN Wizard created it) which is not my network (192.168.1.0) but the IP of the LAN port. It's correct?

In the configuration wizard of the VPN client, in private IP (internal) I put 192.168.1.1 but it must be the IP of the network I want to reach (192.168.1.0) right?

DaneA · ‎2017-07-16

@Cercer01,

In the VPN Policy, I believe the settings under Traffic Selection should be the following below:

Local IP: Subnet

Start IP: 192.168.1.0

Subnet Mask: 255.255.255.0

Remote IP: Any

In the configuration wizard of the VPN client, it should be 192.168.1.0 which is the subnet IP Address of the network you want to reach.

Regards,

DaneA

NETGEAR Community Team

DaneA · ‎2017-07-19

@Cercer01,

I just want to follow-up on this. Any updates?

Regards,

DaneA

NETGEAR Community Team

Cercer01 · ‎2017-07-19

@DaneA

Everything works fine, I just tried last night. Thank you for your help.

DaneA · ‎2017-07-19

@Cercer01,

Thanks for the update. I'm glad to know that everything is working fine. 🙂

Feel free to post your future concerns here in the NETGEAR Community regarding any NETGEAR product.

Cheers,

DaneA

NETGEAR Community Team

SRX5308 VPN and double WAN

SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN

Re: SRX5308 VPN and double WAN