NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
SRX5308 VPN to FVS318v3
Does anybody know if it is possible to set up a VPN connection between a SRX5308 and a FVS318v3? I have succesfully connected 2 FVS318v3's with VPN, but now 1 of them needs to be replaced because th...
Hello Dan,
Thanks for your answer. But unfortunately: I already tried to use the wizard.
On the SRX5308 I see 'IPsec SA Not Established' on the Connection Status-tab.
And on the Monitoring-page on the tab 'VPN Logs':
Thu Feb 09 10:47:06 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for 83.***.***.69[500]. 6cf7de814b79cabb:cdc28d9e092f42f8
Thu Feb 09 10:46:58 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Ignore information because the message has no hash payload.
Thu Feb 09 10:46:52 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:47 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:42 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:37 2017 (GMT +0100): [SRX5308] [IKE] ERROR: invalid ID payload.
Thu Feb 09 10:46:37 2017 (GMT +0100): [SRX5308] [IKE] WARNING: ID value mismatched.
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 192.168.178.51[500]<=>83.***.***.69[500]
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO: Configuration found for 83.***.***.69[500].
Thu Feb 09 10:46:26 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for 83.***.***.69[500]. 6d54b0ccf4b96a46:5db092d37e9b5e44
Thu Feb 09 10:46:18 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Ignore information because the message has no hash payload.
Thu Feb 09 10:46:13 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 807 and total length 40.
Thu Feb 09 10:46:08 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 807 and total length 40.
On the FVS318v3 VPN Status/Log:
[2017-02-09 11:43:26]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS,VID,VID
[2017-02-09 11:43:27]**** SENT OUT THIRD MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:27]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE
[2017-02-09 11:43:27]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:27]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE,VID
[2017-02-09 11:43:29]<ID PAYLOAD> Type = ID_IPV4_ADDR,ID Data=192.168.1.40
[2017-02-09 11:43:29]**** SENT OUT FIFTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:37]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:40]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:44]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: DEL
[2017-02-09 11:43:49][==== IKE PHASE 1(to 217.***.***.31) START (initiator) ====]
[2017-02-09 11:43:49]**** SENT OUT FIRST MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS
[2017-02-09 11:43:49]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS,VID,VID
[2017-02-09 11:43:50]**** SENT OUT THIRD MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:50]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE
[2017-02-09 11:43:50]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:50]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE,VID
[2017-02-09 11:43:52]<ID PAYLOAD> Type = ID_IPV4_ADDR,ID Data=192.168.1.40
[2017-02-09 11:43:52]**** SENT OUT FIFTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:57]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:44:07]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:44:12]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2017-02-09 11:44:12]<POLICY: VPN-GEIT> PAYLOADS: DEL
I hope this helps to solve the problem.
Additional information: On the same side as the SRX5308, there is still an old FVS318v3. If I configure the VPN on this firewall, the VPN is up in no time...
Hi PeterBroersen,
I'm sorry, I clicked "Accept as Solution" accidentally.
Could you compare the parameters of IKE policy and VPN policy on two box? Make sure the all parameters is same except the ip address.
Thanks,
Dan
Hello Dan,
I checked and double-checked all the settings, four times. Everything is exactly the same.
Do you want to see any screenprints of something?
Try changing things like dpd, keep alive, as well as phase one and phase two cryptos. I've not seen problems with netgear stuff connecting with each other, but have seen issues where certain combinations will not work between different brands. Could be a firmware bug and a similar issue causing issues here.
What's the two fvs318s firmware revisions? Are they the same? ie, is the one working on the same firmware as the one that isn't?
Also, you mentioned you replaced the 318 because it could not handle the bandwidth. How much did bandwidth increase to?
Hi,
I am running VPN between different SRX and FVS devices and never had any problems. However, skip the wizzard and set it up maqnually. When things have started to not work like this I have just deleted everything and started all over which have solved the problem. Also, I use the VPN software Shrew Soft to access the firewalls from a single laptop on the road. Shrewsoft works in the same way as router-router so check if you can connect to both routers by shrewsoft-router. That is one way for problem solving.
-Henrik
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
