NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
VPN Tunnel Connects but No Traffic Over LTE Connection
Hi,
I'm trying to connect a windows pro 7 laptop running prosfae vpn client professional to an FVS338. The FVS338 is behind a DG834 router and I can successfully connect if I take the laptop home and use my ADSL connection there, however I would like to be able to connect using a 3G/4G LTE router, for mobile connections. It seems that the same working configuation connects over LTE but there is no traffic, I can't ping, or access anty devices behind the FVS338 (where I can from home).
I am reasonably stumped now. I have tried switching between 3g and 4g connection, which is on the giffgaff / 02 network in the UK. The connection does provide internet access and the router has VPN pass through enabled. The remote client is getting a mode config assigned IP address via both methods.
Below is the FVS338 router log which covers a successful connection over ADSL (dated May 4th) and the unsuccessful (although tunnel connected) connection from May 5th. Can anyone offer any advice on what I may try next?
- Last output repeated twice -
2017 May 5 11:28:01 [FVS338] [IKE] Received unknown Vendor ID_
2017 May 5 11:28:01 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2017 May 5 11:28:01 [FVS338] [IKE] Received unknown Vendor ID_
2017 May 5 11:28:01 [FVS338] [IKE] Beginning Aggressive mode._
2017 May 5 11:28:01 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.0.75[500]<=>82.132.233.187[627]_
2017 May 5 11:28:01 [FVS338] [IKE] Remote configuration for identifier "fvs_remote.com" found_
2017 May 5 11:28:01 [FVS338] [IKE] 192.168.30.1 IP address has been released by remote peer._
2017 May 5 11:28:01 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-82.132.233.187[19603] with spi:c619a4cdd2e57491:fd11cdf233cfb7ee_
2017 May 5 11:28:00 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=c619a4cdd2e57491:fd11cdf233cfb7ee._
2017 May 5 11:27:48 [FVS338] [IKE] DPD R-U-THERE-ACK sent to "82.132.233.187[19603]"_
2017 May 5 11:27:48 [FVS338] [IKE] DPD R-U-THERE received from "82.132.233.187[19603]"_
2017 May 5 11:27:17 [FVS338] [IKE] DPD R-U-THERE-ACK sent to "82.132.233.187[19603]"_
2017 May 5 11:27:17 [FVS338] [IKE] DPD R-U-THERE received from "82.132.233.187[19603]"_
2017 May 5 11:26:49 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->19603]: ESP/Tunnel 192.168.0.75->82.132.233.187 with spi=2575272257(0x997f8941)_
2017 May 5 11:26:49 [FVS338] [IKE] IPsec-SA established[UDP encap 19603->4500]: ESP/Tunnel 82.132.233.187->192.168.0.75 with spi=36488848(0x22cc690)_
2017 May 5 11:26:48 [FVS338] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_
2017 May 5 11:26:47 [FVS338] [IKE] No policy found, generating the policy : 192.168.30.1/32[0] 192.168.10.0/24[0] proto=any dir=in_
2017 May 5 11:26:47 [FVS338] [IKE] Using IPsec SA configuration: 192.168.10.1/24<->192.168.30.0/24_
2017 May 5 11:26:47 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.0.75[0]<=>82.132.233.187[0]_
2017 May 5 11:26:47 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2017 May 5 11:26:47 [FVS338] [IKE] ISAKMP-SA established for 192.168.0.75[4500]-82.132.233.187[19603] with spi:c619a4cdd2e57491:fd11cdf233cfb7ee_
2017 May 5 11:26:47 [FVS338] [IKE] 192.168.30.1 IP address is assigned to remote peer 82.132.233.187[19603]_
2017 May 5 11:26:47 [FVS338] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_
2017 May 5 11:26:47 [FVS338] [IKE] NAT-D payload does not match for 82.132.233.187[19603]_
2017 May 5 11:26:47 [FVS338] [IKE] NAT-D payload does not match for 192.168.0.75[4500]_
2017 May 5 11:26:47 [FVS338] [IKE] Floating ports for NAT-T with peer 82.132.233.187[19603]_
2017 May 5 11:26:47 [FVS338] [IKE] Setting DPD Vendor ID_
2017 May 5 11:26:46 [FVS338] [IKE] For 82.132.233.187[627], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2017 May 5 11:26:46 [FVS338] [IKE] DPD is Enabled_
2017 May 5 11:26:46 [FVS338] [IKE] Received Vendor ID: DPD_
- Last output repeated twice -
2017 May 5 11:26:46 [FVS338] [IKE] Received unknown Vendor ID_
2017 May 5 11:26:46 [FVS338] [IKE] Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02__
2017 May 5 11:26:46 [FVS338] [IKE] Received unknown Vendor ID_
2017 May 5 11:26:46 [FVS338] [IKE] Beginning Aggressive mode._
2017 May 5 11:26:46 [FVS338] [IKE] Received request for new phase 1 negotiation: 192.168.0.75[500]<=>82.132.233.187[627]_
2017 May 5 11:26:46 [FVS338] [IKE] Remote configuration for identifier "fvs_remote.com" found_
2017 May 5 11:05:57 [FVS338] [IKE] Could not find configuration for 71.6.167.142[500]_
2017 May 5 01:42:32 [FVS338] [IKE] Could not find configuration for 216.218.206.66[62517]_
2017 May 5 00:48:15 [FVS338] [IKE] 192.168.30.1 IP address has been released by remote peer._
2017 May 5 00:48:15 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-82.132.244.237[49809] with spi:03a55f0cdcead227:febb7dc817284e05_
2017 May 5 00:48:14 [FVS338] [IKE] Sending Informational Exchange: delete payload[]_
2017 May 5 00:48:14 [FVS338] [IKE] ISAKMP-SA expired 192.168.0.75[4500]-82.132.244.237[49809] spi:03a55f0cdcead227:febb7dc817284e05_
2017 May 4 18:57:37 [FVS338] [IKE] IPsec-SA expired: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=97374627(0x5cdd1a3)_
2017 May 4 18:54:22 [FVS338] [IKE] IPsec-SA expired: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=43099881(0x291a6e9)_
2017 May 4 18:41:52 [FVS338] [IKE] 192.168.30.2 IP address has been released by remote peer._
2017 May 4 18:41:52 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-95.145.99.146[4500] with spi:62bd7c46892d0fe9:e806e79130c7e000_
2017 May 4 18:41:51 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=62bd7c46892d0fe9:e806e79130c7e000._
2017 May 4 18:41:51 [FVS338] [IKE] Purged IPsec-SA with proto_id=ESP and spi=1865101597(0x6f2b311d)._
2017 May 4 18:41:51 [FVS338] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._
2017 May 4 18:41:51 [FVS338] [IKE] Deleting generated policy for 95.145.99.146[0]_
2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.0.75->95.145.99.146 with spi=1865101597(0x6f2b311d)_
2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=97374627(0x5cdd1a3)_
2017 May 4 18:41:36 [FVS338] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_
2017 May 4 18:41:35 [FVS338] [IKE] No policy found, generating the policy : 192.168.30.2/32[0] 192.168.10.0/24[0] proto=any dir=in_
2017 May 4 18:41:35 [FVS338] [IKE] Using IPsec SA configuration: 192.168.10.1/24<->192.168.30.0/24_
2017 May 4 18:41:35 [FVS338] [IKE] Responding to new phase 2 negotiation: 192.168.0.75[0]<=>95.145.99.146[0]_
2017 May 4 18:41:35 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2017 May 4 18:41:35 [FVS338] [IKE] ISAKMP-SA established for 192.168.0.75[4500]-95.145.99.146[4500] with spi:62bd7c46892d0fe9:e806e79130c7e000_
2017 May 4 18:41:35 [FVS338] [IKE] 192.168.30.2 IP address is assigned to remote peer 95.145.99.146[4500]_
2017 May 4 18:41:35 [FVS338] [IKE] NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device_
2017 May 4 18:41:35 [FVS338] [IKE] NAT-D payload does not match for 95.145.99.146[4500]_
2017 May 4 18:41:35 [FVS338] [IKE] NAT-D payload does not match for 192.168.0.75[4500]_
2017 May 4 18:41:35 [FVS338] [IKE] Floating ports for NAT-T with peer 95.145.99.146[4500]_
2017 May 4 18:41:35 [FVS338] [IKE] Setting DPD Vendor ID_
2017 May 4 18:41:34 [FVS338] [IKE] For 95.145.99.146[500], Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02_
2017 May 4 18:41:34 [FVS338] [IKE] DPD is Enabled_
2017 May 4 18:41:34 [FVS338] [IKE] Received Vendor ID: DPD_
- Last output repeated twice -
thanks in advance!
9 Replies
Hi brianstorm,
Welcome to the community! :)
Kindly answer the questions below:
a. As I understand your initial post, I assume that the FVS338 behind the DG834 is located somewhere (possibly at work) and you are able to established VPN connection just fine using your laptop with your ADSL connection at home, am I correct?
b. Since you mentioned that the FVS338 is behind the DG834, is the DG834 set as a modem-only device (configured as bridge mode) making the FVS338 the main router?
c. Is the internet service provider (ISP) on your 3G/4G LTE router the same as the ISP on the where the FVS338 is deployed?
d. Is the LAN subnet on the FVS338 different from the LAN subnet on the 3G/4G LTE router? For example: the LAN subnet on the FVS338 is 192.168.1.0 and the LAN subnet on the 3G/4G LTE router is 10.10.10.0.
Regards,
DaneA
NETGEAR Community Team
Hi,
thanks for the response, I've added my answers below your questions...
a. As I understand your initial post, I assume that the FVS338 behind the DG834 is located somewhere (possibly at work) and you are able to established VPN connection just fine using your laptop with your ADSL connection at home, am I correct?
** Yes, the FVS338 is at work, and I was able to establish a vpn connection from my home over an adsl connection
b. Since you mentioned that the FVS338 is behind the DG834, is the DG834 set as a modem-only device (configured as bridge mode) making the FVS338 the main router?
** the DG834 is our main office modem/router and I have setup the FVS338 behind it, with the WAn port connected to the DG834 system. I had to open an extra port on the DG834 to get the connection working, vpn traffic is passed onto the FVS338
c. Is the internet service provider (ISP) on your 3G/4G LTE router the same as the ISP on the where the FVS338 is deployed?
** the LTE, my home ADSL, and work ADSL all use different ISP's (giffgaff on 02, ee, and bt respectively)
d. Is the LAN subnet on the FVS338 different from the LAN subnet on the 3G/4G LTE router? For example: the LAN subnet on the FVS338 is 192.168.1.0 and the LAN subnet on the 3G/4G LTE router is 10.10.10.0.
** the dhcp lan side of the LTE router is assigning addresses in te range 192.168.1.x
the fvs338 dhcp lan addresses are in the range 192.168.10.x
the mode config setup of the fvs338 is assigning addresses 192.168.30.x and it appears that the laptop receives an address in this range when the vpn connects
I've had a look at the log files comparing a successful connectiuon, and an open vpn with no traffic and it seems that this (marked with asterisks) is where the logs differ, the successful adsl connection moves into a DPD _R-U-THERE series of acknowlodgements
2017 May 4 18:54:22 [FVS338] [IKE] IPsec-SA expired: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=43099881(0x291a6e9)_
2017 May 4 18:41:52 [FVS338] [IKE] 192.168.30.2 IP address has been released by remote peer._
2017 May 4 18:41:52 [FVS338] [IKE] ISAKMP-SA deleted for 192.168.0.75[4500]-95.145.99.146[4500] with spi:62bd7c46892d0fe9:e806e79130c7e000_
2017 May 4 18:41:51 [FVS338] [IKE] Purged ISAKMP-SA with proto_id=ISAKMP and spi=62bd7c46892d0fe9:e806e79130c7e000._
2017 May 4 18:41:51 [FVS338] [IKE] Purged IPsec-SA with proto_id=ESP and spi=1865101597(0x6f2b311d)._
2017 May 4 18:41:51 [FVS338] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._
**********2017 May 4 18:41:51 [FVS338] [IKE] Deleting generated policy for 95.145.99.146[0]_ **************************
2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 192.168.0.75->95.145.99.146 with spi=1865101597(0x6f2b311d)_
2017 May 4 18:41:36 [FVS338] [IKE] IPsec-SA established[UDP encap 4500->4500]: ESP/Tunnel 95.145.99.146->192.168.0.75 with spi=97374627(0x5cdd1a3)_
2017 May 4 18:41:36 [FVS338] [IKE] Adjusting peer's encmode 61443(61443)->Tunnel(1)_
2017 May 4 18:41:35 [FVS338] [IKE] No policy found, generating the policy : 192.168.30.2/32[0] 192.168.10.0/24[0] proto=any dir=in_
Hi DaneA,
did you get a chance to read my responses? I'm still stuck on this and any help would be much appreciated...
Thanks in advance
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
