connecting site to site VPN with 2 x FVS336gV3 routers where 1 FVS336 is behind a NAT modem-firewall
I just RMA'ed a FVG318, replaced by a FVS336gV3.
The system uses a site to site VPN until the FVG318 died. Now I can't get the 2 x FVS336s to establish a site to site VPN. One of the routers is installed behind a providers modem which is a NAT firewall also. As I said the previous firewall worked fine with the port forwarding.
I have installed several other FVS & FVG318 routers behind Natting modems that connect to FVS336 routers perfectly using the site to site vpn system. The new FVS is able to accept client VPN requests perfectly.
This is the first time I am trying to connect two FVS336s. The configurations match the previous setups exactly & the Firmware is at the latest level on all devices.
The VPN logs throw this info for the FVS336 behind the NAT modem:
"[FVS336GV3] [IKE] INFO: NAT-D payload does not match for 192.168.2.3[500]"
Even though the IKE Policy is using FQDN or User_FQDN to specify the modem Internet IP, the router still keeps reporting the error the NAT IP on the WAN port.
Setting up a VPN site-to-site connection needs to have the modem to be set to bridge mode. It needs the public IP in order for it to communicate with the remote site. FVS336(2) has a private IP on its WAN port that needs to be changed to public IP. I suggest you set the modem to bridge mode and the VPN will work without any problem.
Re: connecting site to site VPN with 2 x FVS336gV3 routers where 1 FVS336 is behind a NAT modem-f...
That is a correct answer but incorrect for this application.
The modem running NAT cannot be replaced because of service contraints. Setting up a site to site vpn tunnel when one of the firewalls is behind a natting modem is trivial once you understand port forwarding.. We do it all the time with the FVG & FVS318 products plus "other" manufacturers firewalls/routers.
Note, this was a case of RMA replacement from a 318 to the 336 model by Netgear.
This is the first time we have tried to use a FVS336 behind a NATting modem & notice the issue & we consider this a defect.
Not only is the 336(1) that is behind the NATting modem reporting payload errors for its 192.168.x.x Wan IP address but the 336(2) with a routable IP address reports the site to site tunnel as connected when a user with an ipsec VPN client connectes to it when they are connected to the LAN on 336(1).
No explanation for this last issue, should not be happening.
We understand these products are EOL & there is no firmware update path, but this is not right & were hoping that there was a workaround.
Thanx.....
Model: FVS336Gv3|ProSafe dual WAN gigabit firewall with SSL and IPSec VPN
