I can successfully open a tunnel between the Netgear VPN client and FVS318N VPN router. However after an hour, the VPN log on the router reports ISAKMP-SA expired and the tunnel goes down. I've included the VPN log below. Any ideas? Thanks.
Sat Jul 23 16:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: 192.168.20.1 IP address has been released by remote peer. Sat Jul 23 16:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: ISAKMP-SA deleted for XX.XX.47.230[4500]-174.198.11.127[24446] with spi:fab577d7526c8214:21a73b5694da14a0 Sat Jul 23 16:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: Sending Informational Exchange: delete payload[] Sat Jul 23 16:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: ISAKMP-SA expired XX.XX.47.230[4500]-174.198.11.127[24446] spi:fab577d7526c8214:21a73b5694da14a0 Sat Jul 23 16:33:39 2016 (GMT -0500): [FVS318N] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 174.198.11.127->XX.XX.47.230 with spi=228570525(0xd9fb59d) Sat Jul 23 16:33:39 2016 (GMT -0500): [FVS318N] [IKE] INFO: [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel XX.XX.47.230->174.198.11.127 with spi=785394355(0x2ed02ab3)
Sat Jul 23 15:46:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: Sending Informational Exchange: notify payload[10637] .......... Sat Jul 23 15:46:07 2016 (GMT -0500): [FVS318N] [IKE] INFO: Sending Informational Exchange: notify payload[10637] Sat Jul 23 15:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: IPsec-SA established[UDP encap 4500->24446]: ESP/Tunnel XX.XX.47.230->174.198.11.127 with spi=785394355(0x2ed02ab3) Sat Jul 23 15:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: IPsec-SA established[UDP encap 24446->4500]: ESP/Tunnel 174.198.11.127->XX.XX.47.230 with spi=228570525(0xd9fb59d) Sat Jul 23 15:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: Adjusting peer's encmode 3(3)->Tunnel(1) Sat Jul 23 15:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: No policy found, generating the policy : 192.168.20.1/32[0] 192.168.1.2/24[0] proto=any dir=in Sat Jul 23 15:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: Using IPsec SA configuration: 192.168.1.0/24<->192.168.20.0/24 Sat Jul 23 15:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: FOUND Sat Jul 23 15:45:38 2016 (GMT -0500): [FVS318N] [IKE] INFO: Responding to new phase 2 negotiation: XX.XX.47.230[0]<=>174.198.11.127[0] Sat Jul 23 15:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: Sending Informational Exchange: notify payload[608] Sat Jul 23 15:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: ISAKMP-SA established for XX.XX.47.230[4500]-174.198.11.127[24446] with spi:fab577d7526c8214:21a73b5694da14a0 Sat Jul 23 15:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: 192.168.20.1 IP address is assigned to remote peer 174.198.11.127[24446] Sat Jul 23 15:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: NAT detected: Local is behind a NAT device. and alsoPeer is behind a NAT device Sat Jul 23 15:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: NAT-D payload does not match for 174.198.11.127[24446] Sat Jul 23 15:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: NAT-D payload does not match for XX.XX.47.230[4500] Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: For 174.198.11.127[24440], Selected NAT-T version: RFC 3947Sat Jul 23 15:45:37 2016 (GMT -0500): [FVS318N] [IKE] INFO: Floating ports for NAT-T with peer 174.198.11.127[24446] Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Received Vendor ID: DPD Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Received Vendor ID: RFC 3947 Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Received unknown Vendor ID
Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Received unknown Vendor ID Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Beginning Aggressive mode. Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Received request for new phase 1 negotiation: XX.XX.47.230[500]<=>174.198.11.127[24440] Sat Jul 23 15:45:36 2016 (GMT -0500): [FVS318N] [IKE] INFO: Remote configuration for identifier "client.com" found
Model: FVS318|Cable/DSL ProSafe VPN Firewall with 8-port switch
Thank you for the response. I double-checked the article and agree that I don't see similarities with my situation. I also checked the SA lifetimes as described in the threads and they are in bounds. I am using the latest firmware and client versions:
a. Was it working fine before? This is a new installation.
b. What is the current version of the NETGEAR VPN Client software you are using? 6.30.001
c. What is the current firmware version of the FVS318N? 4.3.3-8
Thank you!
Model: FVS318N|ProSafe Wireless N 8 port gigabit VPN firewall
What is the Operating System of the PC where the NETGEAR VPN Client software is installed?
Is there a software firewall or anti-virus running on the PC where the NETGEAR VPN Client software is installed? If yes, try to disable or uninstall it for the meantime then check if that helps.
Also, you may try to install the NETGEAR VPN Client software on other PCs/laptops to isolate the problem.
I am using the VPN client on a Windows 8.1 desktop. After reviewing the links you provided, I have been adjusting the various SA Lifetimes in the router IPSec policies and in the VPN client. I must admit that I'm still not fully understanding them, but I have managed to get the tunnel to stay open for about four hours before it quits.
Does the 86400 seconds maximum in the client configuration indicate that 1 day is the maximum that an IPSec VPN tunnel is designed to stay up before it needs to be re-initiated by the remote user? What if someone wants to keep a tunnel up for 2 days, a week or even longer?
What I know is that the SA Lifetime is the lifetime of the keys that the VPN tunnel uses to encrypt data. If the 86400 seconds has been reached then it negotiates a new key. If ever you have activity going on through the VPN tunnel, this will not be noticeable when the timers expire.
Let me share this link below that I found online and this might help you understand more about SA Lifetime:
We’d greatly appreciate hearing your feedback letting us know if the information I’ve provided has helped resolve your concern or if you need further assistance. If ever your concern has been resolved, I encourage you to mark the appropriate reply as the “Accepted Solution” so others can be confident in benefiting from the solution. The NETGEAR Community looks forward to hearing from you and being a helpful resource in the future!
