I have 2 networks that are connnected with a VPN tunnel through 2 Netgear firewalls. One is an FVS318G (firmware 3.3.3-18), the other ons is an SRX(something, can't check right now) 4-WAN box.
The system seems to work fine when I boot up the system. SA lifetime is set to 28,800, VPN lifetime to 3,600. What I see is that the IPse-SA expires about every hour (curiously, it seems to be every 48 minutes instead of 60), and renews without a problem (srx ip replaced with x.x.x.x, FV IP replaced with y.y.y.y), read from bottom up:
And from there on out the log shows an entry every minute like this:
2017 Oct 1 05:43:42 [FVS318g] [IKE] Phase 2 negotiation failed due to time up. 1ce69af6753d0747:e27806f0e9ffc9b3:0000bd3d_
2017 Oct 1 05:42:42 [FVS318g] [IKE] Adjusting encryption mode to use UDP encapsulation_
2017 Oct 1 05:42:41 [FVS318g] [IKE] Initiating new phase 2 negotiation: y.y.y.y [0]<=>x.x.x.x[0]_
2017 Oct 1 05:42:41 [FVS318g] [IKE] Configuration found for x.x.x.x._
2017 Oct 1 05:42:41 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.A.0/24<->192.168.B.1/24_
2017 Oct 1 05:31:41 [FVS318g] [IKE] an undead schedule has been deleted: 'quick_i1prep'._
I have set both firewalls to the same time servers (0.pool.ntp.org and one from netgear).
The SRX has a fixed IP address, the FV318 has a dynamic IP address (but I "fixed" it through no-ip.org, and as far as I have seen, has changed perhaps a few times in the last year.
What i find curious is that in the erro section that is repeated every minute, the log suddenly lists internal IP addresses (and why is one an address with a 0 at the end and one with a 1 ?):
2017 Oct 1 05:42:41 [FVS318g] [IKE] Using IPsec SA configuration: 192.168.A.0/24<->192.168.B.1/24_
(I replaced the segments that I use on the two networks with A and B).
I am stumped, Can anybody give me some poiters where to look next?
If ever it does not help, delete the existing IKE and VPN policies. Then, use the VPN Wizard to set up a box-to-box VPN between the FVS318G and SRX5308. Refer to the link below as reference guide:
I will check out the SA lifetimes and if that doesn't work, try to delete and set up the VPN again.
Right now it seems the VPN is stable (after I played around with the IP segments in the VPN setup. They are both set to 192.168.x.0, with the selection set to "segment".
The weird thing is that the VPN is established, but I have access to the resources at site A from site B, but not the other way around. Perhaps I need to reboot both routers ???
Ok, so I think I have found a solution and also another problem 😞
First the solution: I followed DaneA's advice, deleted the VPN policies and set them up again with the Wizard. Worked, but every time, after a while the connection would drop. I looked at the VPN logs, and I think I know what is going on, but not sure what the solution is.
In order to do have control of both routers at the same time (I can't be in two locations at the same time), I decided to log into one of the routers through my iphone (L2TP). I then went to the other site and did the wizard thing there as well.
The VPN connection was established ... and then dropped after a few minutes. In the VPN log I saw this time that another VPN channels was established (not the one between the two routers). And since I was the only one on the system, that would have to be the VPN connection to my cell phone (iPhone).
It therefore seems that the VPN tunnel between the 2 routers is stable until my iPhone breaks it. Is that possible? Can the router not maintain 2 different VPN tunnels at the same time? Why would the 2 tunnels interfere?
The reason why I have the iphone VPN in the first place is that when I am on the road I want to be able to tether my laptop to my iPhone and get access to the network (if I am not in WiFi range). that used to work fine until Apple in their infinite wisdom dropped PPTP, and will not even let a device use the iphone to use PPTP. The only options seems to be L2TP, which then breaks my box-to-box VPN.
I believe you are referring to the SRX5308 having both box-to-box IPSec VPN with the FVS318G and L2TP VPN on your iPhone at the same time. The SRX5308 should be able to handle both VPN connections. Both VPN connections are dependent to the subscribed bandwidth with your ISP.
Kindly check this. The network address of both LANs of the SRX5308 and FVS318G should be different to each other. For example, if the LAN network address of the SRX5308 is 192.168.1.0, the LAN network address of the FVS318G should 192.168.9.0 or 10.10.10.0. Also, the starting/ending IP address configured on the L2TP server of the SRX5308 should be different to the LAN IP address of both LANs of the SRX5308 and FVS318G.
you are correct, the device that needs to support is an SRX5308, and from what I read, it should be able to support 2 VPN tunnels. While I had my iPhone connected yesterday, the VPN tyunnel kept crashing. Since I disconnected my iphone, the other VPN tunnel has been rock solid (thanks for the suggestiuon with the Wizard. (I am still confused about the IP addresses in the VPN Wizard. the instructions seem to indicate the the "subnet" should be specified with a "starting IP address" of x.x.x.0. I could not get that to work. Only when I entered x.x.x.1 for both subnets did I get a connection).
The internal subnets for the two Netgear boxes have different IP sections 192.168.A.x and 192.168.B.x. The L2TP server is enabled and has a third section (from 192,168.C.100 to 192.168.C.120. The rest of the VPN channels was setup exactly as described in a document I found here for iPhone setups.
What I do see is that in the VPN policy the "local IP" is defined with the "A" subnet, not the "C" subnet. (the "remote IP" is set to "Any"). Is that correct?
Oops, I think I may have spoken too early. My VPN tunnel betweent he two boxes, after being stable for about 10 hours or just crashed again. Here is the log from the SRX5308.
What is going on there?
(Read from bottom)
Thu Oct 05 11:13:57 2017 (GMT -0600): [SRX5308] [IKE] WARNING: Remote address mismatched. Local=** FV318 IP **[1024], Peer=** FV318 IP **[4500]
Thu Oct 05 11:13:42 2017 (GMT -0600): [SRX5308] [IKE] NOTIFY: The packet is retransmitted by ** FV318 IP **[4500].
Thu Oct 05 11:13:37 2017 (GMT -0600): [SRX5308] [IKE] INFO: Adjusting encryption mode to use UDP encapsulation
Thu Oct 05 11:13:37 2017 (GMT -0600): [SRX5308] [IKE] INFO: Initiating new phase 2 negotiation: ** SRX IP **[0]<=>** FV318 IP **[0]
Thu Oct 05 11:13:37 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** FV318 FDQN**" found
Thu Oct 05 11:13:37 2017 (GMT -0600): [SRX5308] [IKE] INFO: remote configuration for identifier "** FV318 FDQN**" found
Thu Oct 05 11:13:37 2017 (GMT -0600): [SRX5308] [IKE] INFO: Using IPsec SA configuration: ** SRX internal IP **/24<->** FV318 internal IP **/24
Thu Oct 05 11:13:37 2017 (GMT -0600): [SRX5308] [IKE] INFO: an undead schedule has been deleted: 'quick_i1prep'.
Thu Oct 05 11:13:37 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up. a71fc7bb5f2faa39:7f468e86bb80c70e:fcab0c88
Thu Oct 05 11:13:36 2017 (GMT -0600): [SRX5308] [IKE] INFO: an undead schedule has been deleted: 'quick_r1prep'.
Thu Oct 05 11:13:36 2017 (GMT -0600): [SRX5308] [IKE] ERROR: Phase 2 negotiation failed due to time up. a71fc7bb5f2faa39:7f468e86bb80c70e:ebfa912f
Thu Oct 05 11:13:32 2017 (GMT -0600): [SRX5308] [IKE] NOTIFY: The packet is retransmitted by ** FV318 IP **[4500].
Thu Oct 05 11:13:22 2017 (GMT -0600): [SRX5308] [IKE] NOTIFY: The packet is retransmitted by ** FV318 IP **[4500].
Thu Oct 05 11:13:12 2017 (GMT -0600): [SRX5308] [IKE] NOTIFY: The packet is retransmitted by ** FV318 IP **[4500].
Thu Oct 05 11:13:02 2017 (GMT -0600): [SRX5308] [IKE] NOTIFY: The packet is retransmitted by ** FV318 IP **[4500].
I am starting to think that Netgear is not the way to go ....
I started everything yesterday again, and the VPN seemed to hold (without me trying to use my iPhone. This morning evrything was fine. Then I drive to my office connect to the network there, and the Tunnel crashes (no access to resources at the other side). You would think that the VPN status or log should show something, right? Well, there is nothing. The Modem reports that it is connected, and the last entries int the log show "IPsec-SA established"
In fact, I just watched the log as the SA expired and the log shows the modem going through the whole negotiation again, anding again in IPsec established (I suppose that means that the two boxes talk), BUT ...
It seemed that your concern on your post here is the same on this forum thread. I will close this thread and kindly continue to the new thread you have created.
