Site to Site tunnel working (only ping)

Hello,

Are both BR devices behind a router? If so the issue would be double NAT and the route is not able to complete directly. Can you verify when both routers are not being another router if the tunnel does complete? You can follow the guide below to make sure your tunnel is correctly configured:

https://kb.netgear.com/000060839/How-do-I-set-up-a-site-to-site-IPSec-VPN-on-my-NETGEAR-BR500-Business-Router

If the tunnel does come up after removing the other router we can troubleshoot the double NAT issue if needed.

Thanks for your input.

Yes both are behind routers. Unfortunately I do not have the possibility of removing those since they are the ones providing internet access.

the guide talks about that case on page 23:

Your router connects to anotherrouterin your network. Enterthe IP address
and IP subnet mask for the LAN subnet of the other router. The gateway is the
same gateway that the other router is using for its LAN subnet

I followed the guide for the setup.... I think. :-)

Hello,

Can you send me screenshots of the configuration on each side in a private message? I can take a look at it then.

Thanks for the offer, but it's already "resolved" by Netgear.  It's a known issue that any recent firmware on this router won't do a IPsec tunnel to a Fortigate (and who knows how many other vendors).  The "solution" is to make me sign a waiver of liability so they can send me a "beta" firmware (which, looking at the version numbering, is actually a fairly old firmware).  They also made me sign an agreement that I won't send anyone else a copy of the firmware - so if you're having the same issue you need to call them [EDIT: I guess they got tired of handing it out and posted it, now you can get it from Downloads].  Thier "fix" seems okay in theory, but there are two major drawbacks:

1. There were performance improvements in the newer firmwares that were needed in order to get anything close to the advertised speed, but the ancient version that they sent me to "solve" our problem won't go faster than about 45Mbps over IPsec.

2. The last two firmwares on the website mention security fixes, so I can logically see that previous versions must be vulnerable to something.  But when I ask about this, they assure me that the "beta firmware" (old version) I was provided with has no known vulnerabilities.  Yeah, I'll believe that when my poo turns purple and smells like rainbow sherbert.

So, the actual solution in our case is going to be puchasing a FortiGate or other reputable-brand device for that site and removing what was our first and will be our last Netgear.

What else is different about these firmware versions other than NATLoopback?  When we were testing with the latest version before we rolled back, it was NOT a DNS issue at all.  In fact, DNS and Ping were the only things that DID work!  Trying to open a remote desktop session would fail, regardless of whether a name or an IP address was used, despite Ping working fine.  The old firmware for NATLoopback works for us, but DNS wasn't our issue.  So there is some other bug in the newer firmware that you haven't mentioned.

Hello,

The recent posted 5.7.10.5 is not a new firmware but is the most recent firmware that supports NATloopback. In regards to your issue with the third party router not supporting IPSEC with the BR200 what is the model you are using?