I'm trying to set up a Site2Site VPN connection with IPSec, but it seems I'm running into some issues. Phase 1 and 2 are completed succesfully, according to the VPN logs, but still there is no network connection. Seems like firewall issue or something, but I cannot find it. I'll specify the details here:
My site:
Hardware: Netgear Prosafe FVS336Gv2
Firmware: 4.3.1.-18
Remote Site:
Hardware: Cisco ASA
Firmware: No idea
VPN Log:
Wed Oct 21 09:21:30 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: Adding IKE configuration with identifier "S2SVPN_Centric" Wed Oct 21 09:21:30 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: Adding IPSec configuration with identifier "S2SVPN_CentricIPSEC" Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: IKE configuration with identifier "S2SVPN_Centric" deleted sucessfully Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: an undead schedule has been deleted: 'purge_remote'. Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: Purged ISAKMP-SA with spi=58dd97e8f0a8f52b:360c6ee035209882. Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] WARNING: no phase2 bounded. Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: Purged ISAKMP-SA with proto_id=ISAKMP and spi=58dd97e8f0a8f52b:360c6ee035209882. Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: IPSec configuration with identifier "S2SVPN_CentricIPSEC" deleted sucessfully Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'. Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: purged IPsec-SA proto_id=ESP spi=65796120. Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: purged IPsec-SA proto_id=ESP spi=946730779. Wed Oct 21 09:21:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: Sending Informational Exchange: delete payload[] Wed Oct 21 04:48:27 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: [IPSEC_VPN] Purged IPsec-SA with proto_id=ESP and spi=437665354(0x1a163e4a). Wed Oct 21 04:48:23 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel *.*.*.*->*.*.*.* with spi=946730779(0x386df71b) Wed Oct 21 04:48:23 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA established: ESP/Tunnel *.*.*.*->*.*.*.* with spi=65796120(0x3ebf818) Wed Oct 21 04:48:23 2015 (GMT +0200): [FVS336Gv2] [IKE] WARNING: attribute has been modified. Wed Oct 21 04:48:23 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: Initiating new phase 2 negotiation: *.*.*.*[500]<=>*.*.*.*[0] Wed Oct 21 04:48:23 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: Configuration found for *.*.*.*. Wed Oct 21 04:48:23 2015 (GMT +0200): [FVS336Gv2] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel *.*.*.*->*.*.*.* with spi=437665354(0x1a163e4a)
There is no need to mask the private IP's in the screenshots or logs. Without them it's impossible to see where the problem is. Only mask the public IP's partially.
You can zoom in and read them. I can also post them again with a large resolution, if that helps you.
The 'Inbound ANY Block Always Rule' is on a certain group of public IP's, not ANY.
The private IP's are a subnet, on both sides. I don't see why the problem should be there..
Problem is still present. I've seen the guides provided by DaneA and shared with the remote site operator, but there's nothing that we already tried. Trial-and-error with the documents is the next step, I think...
