NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VPN between 2 netgear routers keeps dropping
I have 2 networks that are connnected with a VPN tunnel through 2 Netgear firewalls. One is an FVS318G (firmware 3.3.3-18), the other ons is an SRX(something, can't check right now) 4-WAN box.
The system seems to work fine when I boot up the system. SA lifetime is set to 28,800, VPN lifetime to 3,600. What I see is that the IPse-SA expires about every hour (curiously, it seems to be every 48 minutes instead of 60), and renews without a problem (srx ip replaced with x.x.x.x, FV IP replaced with y.y.y.y), read from bottom up:
spi=167410498(0x9fa7b42)_
2017 Sep 30 22:18:15 [FVS318g] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel y.y.y.y->x.x.x.x with spi=167410498(0x9fa7b42)_
2017 Sep 30 22:18:15 [FVS318g] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel x.x.x.x->y.y.y.y with spi=189707140(0xb4eb384)_
2017 Sep 30 22:18:14 [FVS318g] [IKE] Adjusting peer's encmode 3(3)->Tunnel(1)_
2017 Sep 30 22:18:13 [FVS318g] [IKE] Adjusting encryption mode to use UDP encapsulation_
2017 Sep 30 22:18:13 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel x.x.x.x -> y.y.y.y with spi=254519873(0xf2baa41)_
2017 Sep 30 22:18:13 [FVS318g] [IKE] Initiating new phase 2 negotiation: y.y.y.y[0]<=>x.x.x.x[0]_
2017 Sep 30 22:18:13 [FVS318g] [IKE] Configuration found for x.x.x.x._
2017 Sep 30 22:18:13 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel y.y.y.y->x.x.x.x.81 with spi=80431225(0x4cb4879)_
This goes well for about 8 hours, then something happens (read from bottom):
2017 Oct 1 05:43:42 [FVS318g] [IKE] Phase 2 negotiation failed due to time up. 1ce69af6753d0747:e27806f0e9ffc9b3:0000bd3d_
2017 Oct 1 05:42:42 [FVS318g] [IKE] Adjusting encryption mode to use UDP encapsulation_
2017 Oct 1 05:42:41 [FVS318g] [IKE] Initiating new phase 2 negotiation: y.y.y.y [0]<=>x.x.x.x[0]_
2017 Oct 1 05:42:41 [FVS318g] [IKE] Configuration found for x.x.x.x._
2017 Oct 1 05:42:41 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.A.0/24<->192.168.B.1/24_
2017 Oct 1 05:31:41 [FVS318g] [IKE] an undead schedule has been deleted: 'quick_i1prep'._
2017 Oct 1 05:31:41 [FVS318g] [IKE] Phase 2 negotiation failed due to time up. 1ce69af6753d0747:e27806f0e9ffc9b3:0000e782_
2017 Oct 1 05:30:41 [FVS318g] [IKE] Adjusting encryption mode to use UDP encapsulation_
2017 Oct 1 05:30:41 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel x.x.x.x ->y.y.y.y with spi=203378717(0xc1f501d)_
2017 Oct 1 05:30:41 [FVS318g] [IKE] Initiating new phase 2 negotiation: y.y.y.y [0]<=> x.x.x.x [0]_
2017 Oct 1 05:30:41 [FVS318g] [IKE] Configuration found for x.x.x.x._
2017 Oct 1 05:30:41 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel y.y.y.y->x.x.x.x with spi=158865058(0x97816a2)_
2017 Oct 1 04:42:40 [FVS318g] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel y.y.y.y-> x.x.x.x with spi=158865058(0x97816a2)_
2017 Oct 1 04:42:40 [FVS318g] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel x.x.x.x ->y.y.y.ywith spi=203378717(0xc1f501d)_
2017 Oct 1 04:42:39 [FVS318g] [IKE] Adjusting peer's encmode 3(3)->Tunnel(1)_
2017 Oct 1 04:42:38 [FVS318g] [IKE] Adjusting encryption mode to use UDP encapsulation_
2017 Oct 1 04:42:38 [FVS318g] [IKE] Initiating new phase 2 negotiation: y.y.y.y [0]<=> x.x.x.x [0]_
2017 Oct 1 04:42:37 [FVS318g] [IKE] purging spi=57371427._
2017 Oct 1 04:42:37 [FVS318g] [IKE] purging spi=133169040._
2017 Oct 1 04:42:37 [FVS318g] [IKE] Sending Informational Exchange: notify payload[608]_
2017 Oct 1 04:42:37 [FVS318g] [IKE] ISAKMP-SA established for y.y.y.y [4500]- x.x.x.x [4500] with spi:1ce69af6753d0747:e27806f0e9ffc9b3_
2017 Oct 1 04:42:36 [FVS318g] [IKE] port changed !!_
2017 Oct 1 04:42:36 [FVS318g] [IKE] for debugging :: changing ports
2017 Oct 1 04:42:36 [FVS318g] [IKE] NAT detected: ME _
2017 Oct 1 04:42:36 [FVS318g] [IKE] NAT-D payload matches for x.x.x.x [500]_
2017 Oct 1 04:42:36 [FVS318g] [IKE] NAT-D payload does not match for y.y.y.y [500]_
2017 Oct 1 04:42:36 [FVS318g] [IKE] Received Vendor ID: KAME/racoon_
2017 Oct 1 04:42:36 [FVS318g] [IKE] For x.x.x.x [500], Selected NAT-T version: RFC XXXX_
2017 Oct 1 04:42:36 [FVS318g] [IKE] Received Vendor ID: KAME/racoon_
2017 Oct 1 04:42:36 [FVS318g] [IKE] DPD is Enabled_
2017 Oct 1 04:42:36 [FVS318g] [IKE] Received Vendor ID: DPD_
2017 Oct 1 04:42:36 [FVS318g] [IKE] Received Vendor ID: RFC XXXX_
2017 Oct 1 04:42:36 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel x.x.x.x ->y.y.y.ywith spi=57371427(0x36b6b23)_
2017 Oct 1 04:42:36 [FVS318g] [IKE] Setting DPD Vendor ID_
2017 Oct 1 04:42:36 [FVS318g] [IKE] Beginning Identity Protection mode._
2017 Oct 1 04:42:36 [FVS318g] [IKE] Initiating new phase 1 negotiation: y.y.y.y[500]<=> x.x.x.x [500]_
2017 Oct 1 04:42:36 [FVS318g] [IKE] Configuration found for x.x.x.x._
2017 Oct 1 04:42:36 [FVS318g] [IKE] IPsec-SA expired: ESP/Tunnel y.y.y.y-> x.x.x.x with spi=133169040(0x7efff90)_
2017 Oct 1 04:42:07 [FVS318g] [IKE] ISAKMP-SA deleted for y.y.y.y [4500]-23. x.x.x.x [4500] with spi:8951ffda21c9f288:ec5ee6a099d8921d_
2017 Oct 1 04:42:06 [FVS318g] [IKE] Sending Informational Exchange: delete payload[]_
2017 Oct 1 04:42:06 [FVS318g] [IKE] ISAKMP-SA expired y.y.y.y [4500]- x.x.x.x [4500] spi:8951ffda21c9f288:ec5ee6a099d8921d_
And from there on out the log shows an entry every minute like this:
2017 Oct 1 05:43:42 [FVS318g] [IKE] Phase 2 negotiation failed due to time up. 1ce69af6753d0747:e27806f0e9ffc9b3:0000bd3d_
2017 Oct 1 05:42:42 [FVS318g] [IKE] Adjusting encryption mode to use UDP encapsulation_
2017 Oct 1 05:42:41 [FVS318g] [IKE] Initiating new phase 2 negotiation: y.y.y.y [0]<=>x.x.x.x[0]_
2017 Oct 1 05:42:41 [FVS318g] [IKE] Configuration found for x.x.x.x._
2017 Oct 1 05:42:41 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.A.0/24<->192.168.B.1/24_
2017 Oct 1 05:31:41 [FVS318g] [IKE] an undead schedule has been deleted: 'quick_i1prep'._
I have set both firewalls to the same time servers (0.pool.ntp.org and one from netgear).
The SRX has a fixed IP address, the FV318 has a dynamic IP address (but I "fixed" it through no-ip.org, and as far as I have seen, has changed perhaps a few times in the last year.
What i find curious is that in the erro section that is repeated every minute, the log suddenly lists internal IP addresses (and why is one an address with a 0 at the end and one with a 1 ?):
2017 Oct 1 05:42:41 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.A.0/24<->192.168.B.1/24_
(I replaced the segments that I use on the two networks with A and B).
I am stumped, Can anybody give me some poiters where to look next?
Thanks.
9 Replies
Replies have been turned off for this discussion
Hi bzness,
Kindly try to change the SA Lifetime. Let me share these old forum links below that might help as reference:
SA Lifetime Guidelines for VPN Setup
If ever it does not help, delete the existing IKE and VPN policies. Then, use the VPN Wizard to set up a box-to-box VPN between the FVS318G and SRX5308. Refer to the link below as reference guide:
Configuring a Box to Box VPN on ProSAFE/ProSECURE routers using the VPN Wizard
Regards,
DaneA
NETGEAR Community Team
Thanks.
I will check out the SA lifetimes and if that doesn't work, try to delete and set up the VPN again.
Right now it seems the VPN is stable (after I played around with the IP segments in the VPN setup. They are both set to 192.168.x.0, with the selection set to "segment".
The weird thing is that the VPN is established, but I have access to the resources at site A from site B, but not the other way around. Perhaps I need to reboot both routers ???
Ok, so I think I have found a solution and also another problem :-(
First the solution: I followed DaneA's advice, deleted the VPN policies and set them up again with the Wizard. Worked, but every time, after a while the connection would drop. I looked at the VPN logs, and I think I know what is going on, but not sure what the solution is.
In order to do have control of both routers at the same time (I can't be in two locations at the same time), I decided to log into one of the routers through my iphone (L2TP). I then went to the other site and did the wizard thing there as well.
The VPN connection was established ... and then dropped after a few minutes. In the VPN log I saw this time that another VPN channels was established (not the one between the two routers). And since I was the only one on the system, that would have to be the VPN connection to my cell phone (iPhone).
It therefore seems that the VPN tunnel between the 2 routers is stable until my iPhone breaks it. Is that possible? Can the router not maintain 2 different VPN tunnels at the same time? Why would the 2 tunnels interfere?
The reason why I have the iphone VPN in the first place is that when I am on the road I want to be able to tether my laptop to my iPhone and get access to the network (if I am not in WiFi range). that used to work fine until Apple in their infinite wisdom dropped PPTP, and will not even let a device use the iphone to use PPTP. The only options seems to be L2TP, which then breaks my box-to-box VPN.
Any solutions for this?
I believe you are referring to the SRX5308 having both box-to-box IPSec VPN with the FVS318G and L2TP VPN on your iPhone at the same time. The SRX5308 should be able to handle both VPN connections. Both VPN connections are dependent to the subscribed bandwidth with your ISP.
Kindly check this. The network address of both LANs of the SRX5308 and FVS318G should be different to each other. For example, if the LAN network address of the SRX5308 is 192.168.1.0, the LAN network address of the FVS318G should 192.168.9.0 or 10.10.10.0. Also, the starting/ending IP address configured on the L2TP server of the SRX5308 should be different to the LAN IP address of both LANs of the SRX5308 and FVS318G.
Regards,
DaneA
NETGEAR Community Team
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
