I've seen some other discussions about VPN problems but nothing that quite describes my problem. I have a FVS336GV2 firewall that I'm trying to set up a site to site IPsec VPN connection with and I can't get it working. The firmware is admittedly old (3.0.7-24) but I'd prefer not to have to upgrade it if I can avoid it because I understand that version 4.x isn't compatible with a settings export from 3.x and would require me to reconfigure it completely from scratch.
The firewall at the other end of the VPN connection is a Zyxel USG40. Its VPN connection status shows as connected, and the Netgear at the office shows a connection status of "IPsec SA Established" but the connection does not actually work. I can't ping the opposite site from either end. It seemed to have worked briefly one day last week from the Zyxel end (I was able to ping and RDP to the office side immediately after I created the tunnel), but it stopped working sometime overnight. The typical VPN log entries I'm getting on the Netgear are as follows:
2017 Apr 10 08:16:40 [FVS336GV2] [IKE] DPD R-U-THERE-ACK received from "108.246.254.21[500]"_ 2017 Apr 10 08:16:40 [FVS336GV2] [IKE] DPD R-U-THERE sent to "108.246.254.21[500]"_ 2017 Apr 10 08:16:38 [FVS336GV2] [IKE] Cookie mismatch in DPD message for peer "108.246.254.21[500]"_
Here are the IKE logs from the Zyxel:
# Time Priority Category Message Source Source Interface Destination Destination Interface Protocol Note 2 2017-04-10 09:28:13 info IKE Send:[HASH][NOTIFY:R_U_THERE_ACK] [count=2] 108.246.254.21:500 96.83.31.185:500 IKE_LOG 3 2017-04-10 09:28:13 info IKE The cookie pair is : 0xb6fb0682245be931 / 0x5b7f7cfac2d634bd [count=2] 108.246.254.21:500 96.83.31.185:500 IKE_LOG 4 2017-04-10 09:28:13 info IKE Recv:[HASH][NOTIFY:R_U_THERE] [count=2] 96.83.31.185:500 108.246.254.21:500 IKE_LOG
These same few log entries on both devices just keep repeating. I don't see any others that are relevant.
I've read that NAT and IPsec are incompatible and that NAT will break IPsec VPN's. Specifically, I saw the following in a CompTIA Security+ study guide: "IPsec and Network Address Translation (NAT) are not compatible with each other. NAT manipulates the IP header of the packets when it translates the IP addresses. This change causes the receiving end of the VPN tunnel to discard the packet as invalid. If the path to the VPN server is through a device using NAT, you need to look for alternatives. NAT Traversal (NAT-T) is one possible choice, or you could use another tunneling protocol."
However, according to the Netgear manual, "If you only have a single public Internet IP address, you MUST use NAT." I can find no other likely reason why both ends think they're connected but no traffic will pass through the tunnel. Nor can I find an explanation for why it appeared to work briefly. Is the above point about NAT valid? Is NAT-T an option? Or should I change the tunnel over to SSL VPN? The note above mentions a VPN server. If there's no separate VPN device, but the Netgear is serving both the VPN and NAT functions, is NAT still going to definitely cause a problem or not? Or could something else entirely be going on?
Thanks,
Ken
Model: FVS336Gv2|PROSAFE DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN
I have searched online about the Zyxel USG40 and found out from its user guide here that its default LAN subnet is 192.168.1.x. The default LAN subnet on the FVS336Gv2 is also 192.168.1.x. Because of this, you will not be able to fully establish a box-to-box VPN connection. You will need to change the LAN subnet of either the Zyxel USG40 or the FVS336Gv2 to a different one. For example, since the FVS336Gv2 has a LAN subnet of 192.168.1.x, you may change the LAN subnet of the Zyxel USG40 to 192.168.9.x or 10.10.10.x.
Let me share the articles below and use it as reference guides:
