NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
FVS336G v3 and Watchguard XTMv Site-to-Site VPN Configuration
Hi,
i am trying to set up a Site-to-Site VPN using a Netgear FVS336G v3 on one end and a virtualised Watchguard XTMv on the other end.
The VPN Tunnel is established most of the time, but no data is sent. But then, sometimes, very rarely, data is being sent over the tunnel for a short time.
It starts and stops without anyone changing any settings.
I am out of ideas, but i hope someone here has seen this problem before, or has a similar setup or at least some ideas.
The settings are configured as follows:
Netgear:
IKE Policy:
- Direction / Type: Both
- Exchange Mode: Aggressive
- Local:
- Select Local Gateway: WAN1
- Identifier Type: FQDN
- Identifier:nwident.no-ip.org
- Remote:
- Identifier Type: Remote Wan IP
- Identifier: some IP (called IP1)
- IKE SA Parameters:
- Encryption Algorithm: 3DES
- Authentication Algorithm: SHA-1
- Authentication Method: Pre-shared key
- Pre-shared key: some key
- Diffie-Hellmann (DH) Group: Group 2
- SA-Lifetime: 28800
- Enable Dead Peer Detection: Yes
- Detection Period: 20
- Reconnect after failure count: 3
- Extended Authentication:
- XAUTH Configuration: None
VPN Policy:
- General:
- Policy Type: Auto Policy
- Select Local Gateway: WAN1
- Remote Endpoint: IP Address IP1
- Enable Keepalive: No
- Traffic Selection:
- Local IP: Subnet
- Start IP Address: 172.22.59.0
- Subnet Mask: 255.255.255.0
- Remote IP: Subnet
- Start IP Address: 172.22.58.0
- Subnet Mask: 255.255.255.0
- Auto Policy Parameters:
- SA Lifetime: 3600
- Encryption Algorithm: 3DES
- Integrity Algorithm: SHA-1
- PFS Key Group: DH Group 2
- Select IKE Policy: above Policy is selected
Watchguard:
Branch Office VPN:
- Gateways:
- Credential Method:
- Use Pre-shared Key: some key (same as on the netgear device)
- Gateway Endpoint:
- Local Type: IP Address
- Local ID: IP Address IP1
- Local Interface: External
- Remote IP: Any
- Remote Type: Domain Name
- Remote ID: nwident.no-ip.org
- Phase 1 Settings:
- Mode: Aggressive
- NAT Traversal : Yes
- Keep-alive Interval: 20 seconds
- IKE Keep-alive: No
- Dead Peer Detection: Yes
- Traffic idle timeout: 20 seconds
- Max retries: 3
- Phase 1 transform: SHA1-3DES
- Key Group: Diffie-Hellmann Group 2
- Credential Method:
- Tunnels:
- Adresses
- Local: 172.22.58.0/24
- Direction: bi-directional
- Remote: 172.22.59.0/24
- Add this tunnel to BOVPN-Allow policies: Yes
- Phase 2 Settings:
- Enable Perfect Forward Secrecy: Diffie-Hellmann Group 2
- IPSec Proposals: ESP-3DES-SHA1
- Multicast Settings: Multicast disabled
- Adresses
Please let me know if something is missing.
I am looking forward to hear your ideas.
Thanks in advance!
5 Replies
Hi ESCde,
Welcome to the community! :)
Kindly check the SA Lifetime values. Let me share these old forum links that might help as reference:
Regards,
DaneA
NETGEAR Community Team
Hi DaneA,
thanks for your response.
I checked the SA Lifetime values and did indeed find different settings for Phase 2 on each device.
I have adjusted the SA Lifetime settings to 3600 seconds on both firewalls. But the problem has not changed.
Right now, as well as most of the time, no data is being transferred across the tunnel even though the tunnel is up. But sometimes data is sent for a very limited time.
Do you have another suggestion?
Best regards,
ESCde
Hi ESCde,
Kindly answer the questions below:
a. Does the Watchguard XTMv have a Public WAN IP address configured on it?
b. Is the WAN IP address of the FVS336Gv3 a Public WAN IP address?
c. Have you tried to change the LAN IP subnet on the FVS336Gv3 (or on the Watchguard XTMv) to a different one? For example, instead of 172.x.x.x, use either 10.x.x.x.
I look forward to your response.
Regards,
DaneA
NETGEAR Community Team
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
