This topic has been marked solved and closed to new posts due to inactivity. We hope you'll join the conversation by posting to an open topic or starting a new one.
Hi, I hope you can help me. I've got a business network with an SRX5308, and home office with an AVM Fritz Box 7490.
On the business side, I've got
VLAN Default 10.0.0.0/24
VLAN 72 192.68.72.0/24
other VLANS of no interest
VPN to another branch office SRX5308 as 192.168.55.0/24
Now ideally, I'm trying to access the default VLAN, VLAN 72 and the VPN to the 55 network from my Box at home. I've managed to get the Fritzbox to connect to the SRX (only took about a day playing with their stupid settings) but can't for example access the 72 VLAN.
The setting used on the Fritzbox (from their manual) is set as
accesslist = "permit ip any 10.0.0.0 255.255.255.0", "permit ip any 192.168.72.0 255.255.255.0";
Now, on the SRX I can only specify one local network in the VPN policy - how to I tell the SRX to allow access to the VLANs or VPNs?
Now I get what you wanted to accomplish: from Site A === passing through ===> MainSite === going to ===> Site B is not possible. It would be best if you just configure a VPN connection directly between Site A and Site B.
many thanks for taking the time to reply. I wasn't aware that I can define multiple VPN policies for the same IKE policy - thank you!
This has now worked for the 72 VLAN when I duplicate the VPN policy and specify that subnet.
What I cannot get to work now is the access to the business VPN tunnels. Is that supposed to work?
My design now looks like this:
MAIN SRX 10.0.0.0/24:
- VLAN 72 192.168.72.0/24
- Connected to SiteB (another SRX) 192.168.55.0/24
- Connected to SiteC (a Draytek) 192.168.100.0/24
My homeoffice is connected through the AVM Fritzbox, and is now capable of communicating with 10.0.0.0/24 and 192.168.72.0/24.
What I cannot get to work using the same methology is to access the remote VPNs on 55 and 100. Is that supposed to work the same way?
Thank you very much for your help!
I don't really expect a reply very soon for a good reason - I wish you and everyone reading this a Merry Christmas and some quality time with your families.
Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Were you able to try to create new IKE/VPN policies (either by using the VPN Wizard or manual configuration) to be able to establish a VPN tunnel between the 55 and 100?
this is almost right, with the exception of only 1 (main) WAN port being used. WAN 2 is only a failover for the 100 Mbps line on WAN1. So all Tunnels terminate on WAN1.
VLAN 72 (192.168.72.0/24) is defined next to the default VLAN 10.0.0.0/24 on Main Site, and accessed from Site A, which is 192.168.178.0/24. This is working fine using your suggestion.
What I was wondering is if it is possible to access the tunnels (and if so, how) like this:
Site A to Site B via Main Site. It's been a little while, but I think I tried:
- Duplicating the working VPN policies from Site A to Main with a target network of 192.168.55.0
- Duplicating the working VPN policy from Site B to Main Site, with a target network of 192.168.178.0/24 (Site A).
That didn't seem to work as easily as accessing the VLAN from Site A.
Now I get what you wanted to accomplish: from Site A === passing through ===> MainSite === going to ===> Site B is not possible. It would be best if you just configure a VPN connection directly between Site A and Site B.
Problem is that Site A isn't allowed to connect to the other endpoints directly from a dynamic IP range. The only aggressive mode we have is for the main site.
Looks as though I will have to figure out something else.
I'm happy to share my experience. You may want to post this in a new topic to keep it tidy. Reply here with the link to the newly created topic so others may find it.
