NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

yc16's avatar
yc16
Follower
Dec 05, 2016

IPSec VPN between two FVS318's - only one has a public IP address

Hi all,

 

I'm trying to connect a remote site to our main office over VPN, but I'm only given an internal IP address at the remote site. After doing some reading I found out it's possible to get IPSec VPN to work as long as the remote site with an internal IP address initiates the connection in aggressive mode.

 

As far as I can tell I've got everything configured as should but it still doesn't work. What am I doing wrong?

 

Configuration from initiator side

 

http://imgur.com/a/Cj4m5

 

Iniatiator VPN logs

 

Mon Dec 05 17:10:04 2016 (GMT +0000): [FVS318N] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 162.xxx..xxx.xx[500]. cc42106ef5158cd2:0000000000000000
Mon Dec 05 17:10:01 2016 (GMT +0000): [FVS318N] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. ESP 162.xxx..xxx.xx->192.168.1.62 
Mon Dec 05 17:09:30 2016 (GMT +0000): [FVS318N] [IKE] INFO:  Configuration found for 162.xxx..xxx.xx.
Mon Dec 05 17:09:30 2016 (GMT +0000): [FVS318N] [IKE] INFO:  Configuration found for 162.xxx..xxx.xx.
Mon Dec 05 17:09:30 2016 (GMT +0000): [FVS318N] [IKE] INFO:  Using IPsec SA configuration: 192.168.56.0/24<->192.168.54.0/23
Mon Dec 05 17:08:46 2016 (GMT +0000): [FVS318N] [IKE] ERROR:  Phase 2 negotiation failed due to time up waiting for phase1. 
Mon Dec 05 17:08:46 2016 (GMT +0000): [FVS318N] [IKE] ERROR:  Invalid SA protocol type: 0
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 9
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 8
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:   [isakmp_agg.c:261]: XXX: setting vendorid: 4
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:   [isakmp_agg.c:257]: XXX: NUMNATTVENDORIDS: 3
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:  NAT-Traversal is Enabled
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:  Beginning Aggressive mode.
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:  Initiating new phase 1 negotiation: 192.168.1.62[500]<=>162.xxx..xxx.xx[500]
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:  Configuration found for 162.xxx..xxx.xx.
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:  Configuration found for 162.xxx..xxx.xx.
Mon Dec 05 17:08:14 2016 (GMT +0000): [FVS318N] [IKE] INFO:  accept a request to establish IKE-SA: 162.xxx..xxx.xx

 

 

Configuration from responder side

 

http://imgur.com/a/1pSvl

Troubleshooting

1 Reply

  • Dan_Z's avatar
    Dan_Z
    NETGEAR Expert
    Dec 05, 2016

    Hi yc16,

    Welcome to the community!

    Suggest to use two public ip address to config ipsec vpn.Checked your configuration,found the wan ip address is mismatch.
    Here is your configuration on IKE policy,the initiator side local wan ip  and responder side remote wan ip is mismatch.
    1.Iniatiator side [Local WAN:192.168.1.62,Remote WAN:162.x.x.x]
    2.Responder side [LAN WAN:162.x.x.x,Remote WAN:76.x.x.x]

    How to config IPsec VPN:
    1.Get WAN IP address of Iniatiator side and Responder side:
    Iniatiator(WAN1-IP)---(WAN2-IP)Responder
    2.Disable all vpn policy
    3.Edit Iniatiator IKE policy:Local WAN use WAN1-IP,Remote WAN use WAN2-IP.
    Remote Endpoint for vpn policy config to WAN2-IP.
    4.Edit Responder IKE policy:Local WAN use WAN2-IP,Remote WAN use WAN1-IP
    Remote Endpoint for vpn policy config to WAN1-IP
    5.Enable all vpn policy,then connect vpn.

    Thanks,
    Dan

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More