Reply

UTM150 to SRX5308 VPN issues_case # 25952345

BeauNidle
Aspirant

UTM150 to SRX5308 VPN issues_case # 25952345

Hi All, looking for help with a perplexing error please.

 

Trying to connect additional subnets over a VPN between a UTM150 and an SRX and have hit a brick wall.

 

Site 1 has a subnet of 192.168.1.0/24 with a UTM150, Site 2 has a subnet of 192.168.51.0/24 with an SRX5308.  VPN between the two works fine.

Site 1 now has an additional VLAN of 192.168.16.0/24, site 2 has an additional VLAN of 192.168.56.0/24.  VLANs on each site individually work fine.

 

Config *should* be add additional VPN policy to each device with the new subnets, so add a new VPN policy on the SRX, same IKE policy already in use, new subnet 192.168.56.0/24 local, 192.168.16.0/24 remote - applies ok but not connected.

Same interface on the UTM add new VPN policy 192.168.16.0/24 local, 192.168.56.0/24 remote, wont apply - comes up with "Can't share IKE policy with different secondary local gateway" ???  What?

 

Netgear support give the usual "flatten it from space and start again" answer that has never yet worked and would involve driving around the countryside between sites, so I am desperately looking for any clues as to what the error means and what secondary gateway its talking about? Has anyone sucessfully connected multiple subnets over prosafe devices?  if so am I going about this the wrong way? Is there another way?

 

Ideally I want to keep these subnets sepereate as one is voice, but first priority is to connect them..  Any help would be gratefully received.

Message 1 of 7
DaneA
NETGEAR Moderator

Re: UTM150 to SRX5308 VPN issues_case # 25952345

Hi BeauNidle

 

I would just like to share this article and it might help you with your concern.  

 

Welcome to the community! Smiley Happy

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 2 of 7
BeauNidle
Aspirant

Re: UTM150 to SRX5308 VPN issues_case # 25952345

Thanks Dane, but I have that article - it works on the SRX range, but not on the UTM.  The UTM generates the error I am trying to resolve.

 

Its when you follow that article you get the issue and the spurious error message.

Message 3 of 7
DaneA
NETGEAR Moderator

Re: UTM150 to SRX5308 VPN issues_case # 25952345

Hi BeauNidle,

 

Regarding this, the VPN endpoint is a selection in the VPN policy.  It has to match what the first one was.  Same with the WAN as it is using the same IKE policy, a lot of those settings must match.  It is needed to use the same endpoint, same WAN selection.  Different names, cannot have duplicates.

 

 

Regards,

 

DaneA

NETGEAR Community Team 

Message 4 of 7
BeauNidle
Aspirant

Re: UTM150 to SRX5308 VPN issues_case # 25952345

I know all that - on the SRX its fine.  On the UTM however, it does not work.  The error does not indicate anything related to duplicates or anything else, it just reports a secondary gateway error and refuses to create the policy. Netgear technical chased it around for a week or so with no answers.

I have found a workaround that involves creating a fictitious policy with a fictitious IKE, letting it create the IKE and VPN policies for the fictitious endpoint (which it will do, bizarrely) then manually editing the VPN policy and deleting the fictitious IKE policy - a bit clunky.

 

I am still curious however as to why the netgear interface A) wont let you set up a perfectly valid VPN policy and B) will let you set up a totally invalid, unworkable IKE and VPN policy?

Message 5 of 7
DaneA
NETGEAR Moderator

Re: UTM150 to SRX5308 VPN issues_case # 25952345

Hi BeauNidle,

 

Since you have an ongoing case with NETGEAR Support, it would be better to inquire your questions with them.  Your ongoing case might be escalated to the engineering team if it is valid and necessary.  

 

 

Regards,

 

DaneA

NETGEAR Community Team

Message 6 of 7
BeauNidle
Aspirant

Re: UTM150 to SRX5308 VPN issues_case # 25952345

Tried that too.  Got an engineer who (remotely) kept trying the same thing to see if it would go away.......  After that suggested I nuke the network from Orbit and see if that fixed it - not desperately helpful unfortunately.  Thats why I posted originally - to see if I could find someone with more knowledge than the 2nd line guy who had no clue but wouldnt escalate.

 

 

Message 7 of 7
Discussion stats
  • 6 replies
  • 2300 views
  • 0 kudos
  • 2 in conversation
Announcements