VPN IPsec work fine but i cant see any other PC

xmaster2002 · ‎2013-01-03

hi ,

my Problem :

I connect my Notebook via VPN IPsec to my Netgear srx5308 !
I use IKE + Policies ( no modeConfig ).

The connecttion work fine but i cant ping any other PC and also it isnt possible to ping the SRX !

WAN1 217.xxx.xxx.xxx

VLan1
192.168.1.0 / 255.255.255.0
- SRX -> 192.168.1.1

VLan 2
192.168.21.0 / 255.255.255.0
- PC1 -> 192.168.21.100
- DS1812 -> 192.168.21.250

VPN-Client SHREW ( and also Netgear Client , same Situation)
- VPN-Client -> 172.xx.xx.2 (vodafone / iphone share )
( Active IPsec SA(s) .. )
( i can chnage it .. to self selcted IP 10.0.10.2 etc. but also no effect )

Why i cant ping any other device !?
any idea ... ?

PS:
more info

SRX - VPN Poilcies
Traffic Selection
192.168.1.1
255.255.255.0

Remote IP : ANY
FQDN : remote.com

adit · ‎2013-01-03

Read my LAN Subnets NOT to Use tutorial. Change traffic selector to .0 and try again. Just like a regular VPN, you need additional VPN policies for each additional LAN subnet.

xmaster2002 · ‎2013-01-03

hi ,
i also try it with .0
same result !

if you use the wizard he fill it auto. with 192.168.1.1 ...
but i wasnt sure its correct .. thats the reason why i also try it with .0 !

any other idea !??

and thx for the tip with ... single polic. for each VLan !!

adit · ‎2013-01-03

Test with Internet connection other than iPhone. Your carrier may be blocking VPN. You have to test from outside of your LAN as well.

xmaster2002 · ‎2013-01-03

hmmm..
ok , but it also dosent work with a client from landline !

and i dont think that the carrier block VPN ...
but i will check this also .. again

but today it will be not possible

xmaster2002 · ‎2013-01-03

PS:

but the connection are working well !!!
normaly the carrier maybe can block to build up a VPN !!
but he cant block the connection to my internal ... network PCs!

or iam wrong !?

adit · ‎2013-01-03

I would suggest posting screenshots of the setup and log copies. If you can't ping the SRX, then the setup is wrong.

jmizoguchi · ‎2013-01-03

see my FVS336 and shrew case study

xmaster2002 · ‎2013-01-03

😉
i used the case study !!

but this dosent help me !
the connection work fine with Netgear Client and also with shrew !

2 sec. and i am connected ! But i cannt see the other PCs ...
at you case study are no infos how i can solve such problems or why i face such problems !

jmizoguchi · ‎2013-01-03

You need to trust opposite ip on pc's firewall.

xmaster2002 · ‎2013-01-03

hmm
you are sure !?

firewall are not installed on synology ds1812 and how i should do it on the srx5308 ... normally a ping after a VPN connection are online should be possible ! or not ? i actived ping ok from Lan and Wan at srx !

jmizoguchi · ‎2013-01-03

LAN ,WAN ping feature not need it VPN.

WAN ping will flood the router from any outsiders

Gateway for NAS is point to router?

xmaster2002 · ‎2013-01-04

hi ...
any option here to post screeners !?
( plz dont tell me : use Skydrive or things like this ! 😉 .. )

jmizoguchi · ‎2013-01-04

Common way to post to use imageshack.us

xmaster2002 · ‎2013-01-05

http://imageshack.us/g/1/9949716/

maybe this helps

jmizoguchi · ‎2013-01-05

Mode config IP pool can NOT me same as you LAN subnet

xmaster2002 · ‎2013-01-05

?? ModeConfig !?!?
i dont use ModeConfig !

i post IKE Polic. and VPN Polic. !

jmizoguchi · ‎2013-01-05

Link showed 12 imageschack

xmaster2002 · ‎2013-01-05

hmm .. i cant see any pic with ModeConfig !!!
i dont use it ! thats why normally it isnt possible that i post a ModeConfig screener !!!

PS:

mayb this helps also
Fri Jan 04 09:39:07 2013 (GMT +0100): [SRX5308] [IKE] INFO: IPsec-SA established: ESP/Tunnel
217.xxx.xx.xxx->109.xxx.xxx.xxx with spi=3320127859(0xc5e52173)
Fri Jan 04 09:39:07 2013 (GMT +0100): [SRX5308] [IKE] INFO: IPsec-SA established: ESP/Tunnel
109.xxx.xxx.xxx->217.xxx.xxx.xxx with spi=226577000(0xd814a68)
Fri Jan 04 09:39:07 2013 (GMT +0100): [SRX5308] [IKE] INFO: No policy found, generating the policy :
172.xxx.xxx.xxx/32[0] 192.168.21.0/24[0] proto=any dir=in
Fri Jan 04 09:39:07 2013 (GMT +0100): [SRX5308] [IKE] INFO: Using IPsec SA configuration:
192.168.21.0/24<->0.0.0.0/0 from remote.com
Fri Jan 04 09:39:07 2013 (GMT +0100): [SRX5308] [IKE] INFO: Responding to new phase 2
negotiation: 217.xxx.xxx.xxx[0]<=>109.xxx.xxx.xxx[0]
Fri Jan 04 09:39:07 2013 (GMT +0100): [SRX5308] [IKE] INFO: Sending Informational Exchange: notify
payload[INITIAL-CONTACT]
Fri Jan 04 09:39:07 2013 (GMT +0100): [SRX5308] [IKE] INFO: ISAKMP-SA established for
217.xxx.xxx.xxx[500]-109.xxx.xxx.xxx[39120] with spi:5fc2131788210d2d:7d8804eeca0e4747
Fri Jan 04 09:39:06 2013 (GMT +0100): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Jan 04 09:39:06 2013 (GMT +0100): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Jan 04 09:39:06 2013 (GMT +0100): [SRX5308] [IKE] INFO: Received unknown Vendor ID
Fri Jan 04 09:39:06 2013 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Fri Jan 04 09:39:06 2013 (GMT +0100): [SRX5308] [IKE] INFO: Received Vendor ID: DPD
Fri Jan 04 09:39:06 2013 (GMT +0100): [SRX5308] [IKE] INFO: Received unknown Vendor ID

jmizoguchi · ‎2013-01-05

I was on my iPad so possible not showing what you posted.

It will be a whe to use PC but NAS has correct gateway ip?

I'm going to assume that

VPN policy is like
Ex.
Local 192.168.70.0/255.255.255.0
Remote Any

xmaster2002 · ‎2013-01-05

See ... The NAS are current not so important !
The most important thing are current that i am able to ping anything ...
First what i want are to ping the SXR 192.168.1.1 ... Than i am happy !
2. Step are to ping the NAS with ip 192.168.21.250

In case that it,must be i can change the ips but normally
I want that the SRX will use the 192.168.1.1

3. Step are to ping the ip 192.168.1.100

Curreny i have a stable VPN connection and all looks good but 0 chancr to reach anything with the VPN !

And i cant finde the,misstake why i am not able to ping the srx i thing normally all are fine for this min. Setup !
I cant understanf it !!!!

Send from my Lumia920

jmizoguchi · ‎2013-01-05

Ahh... I couldn't see well earlier .... I'm on pc now probably some to do with your DNS. looks like you are using own DNS server Got to many of LAN DHCP SERVCER screenshot. you only need the one actually you are using confusing 🙂

jmizoguchi · ‎2013-01-05

Make network digaram I see router's IP is 192.168.21x and 192.168.100x so not sure 192.168.1.1 I seen as DNS server under DHCP setup

xmaster2002 · ‎2013-01-05

See ... The NAS are current not so important !
The most important thing are current that i am able to ping anything ...
First what i want are to ping the SXR 192.168.1.1 ... Than i am happy !
2. Step are to ping the NAS with ip 192.168.21.250

In case that it,must be i can change the ips but normally
I want that the SRX will use the 192.168.1.1

3. Step are to ping the ip 192.168.1.100

Curreny i have a stable VPN connection and all looks good but 0 chancr to reach anything with the VPN !

And i cant finde the,misstake why i am not able to ping the srx i thing normally all are fine for this min. Setup !
I cant understanf it !!!!

Send from my Lumia920

xmaster2002 · ‎2013-01-05

Ok ...

SRX are the DHCP for
Vlan 192.168.1.0
And
Vlan 192.168.21.0

The SRX use the ip 192.168.1.1
Also at the same Vlan are a DIR-855 with 192.168.1.100
( whats behind the DIR-855 are not intresst )

At the 2. Vlan are
A Server with ip 192.168.21.100
And the Synology DS1812 with ip 192.168.21.250

Thats more or less the topology ....

If i want that a special Server are availble to the VPN useres or public i bring him into the network 192.168.21.0

The DNS entries are only given by me ..,i dont config. A special one !

VPN IPsec work fine but i cant see any other PC

VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC

Re: VPN IPsec work fine but i cant see any other PC