- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Re: SRX5308 VPN to FVS318v3
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SRX5308 VPN to FVS318v3
Does anybody know if it is possible to set up a VPN connection between a SRX5308 and a FVS318v3?
I have succesfully connected 2 FVS318v3's with VPN, but now 1 of them needs to be replaced because the local troughput was not enough for the new internet connection.
Hope somebody can help me.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
Hello,
Welcome to the community!
Here is the reference link:
http://kb.netgear.com/24278/Configuring-a-Box-to-Box-VPN-on-ProSAFE-ProSECURE-routers-using-the-VPN-...
Thanks
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
Hello Dan,
Thanks for your answer. But unfortunately: I already tried to use the wizard.
On the SRX5308 I see 'IPsec SA Not Established' on the Connection Status-tab.
And on the Monitoring-page on the tab 'VPN Logs':
Thu Feb 09 10:47:06 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for 83.***.***.69[500]. 6cf7de814b79cabb:cdc28d9e092f42f8
Thu Feb 09 10:46:58 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Ignore information because the message has no hash payload.
Thu Feb 09 10:46:52 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:47 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:42 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:37 2017 (GMT +0100): [SRX5308] [IKE] ERROR: invalid ID payload.
Thu Feb 09 10:46:37 2017 (GMT +0100): [SRX5308] [IKE] WARNING: ID value mismatched.
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO: Beginning Identity Protection mode.
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received request for new phase 1 negotiation: 192.168.178.51[500]<=>83.***.***.69[500]
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO: Configuration found for 83.***.***.69[500].
Thu Feb 09 10:46:26 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Phase 1 negotiation failed due to time up for 83.***.***.69[500]. 6d54b0ccf4b96a46:5db092d37e9b5e44
Thu Feb 09 10:46:18 2017 (GMT +0100): [SRX5308] [IKE] ERROR: Ignore information because the message has no hash payload.
Thu Feb 09 10:46:13 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 807 and total length 40.
Thu Feb 09 10:46:08 2017 (GMT +0100): [SRX5308] [IKE] INFO: Received Malformed packet of payload length 807 and total length 40.
On the FVS318v3 VPN Status/Log:
[2017-02-09 11:43:26]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS,VID,VID
[2017-02-09 11:43:27]**** SENT OUT THIRD MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:27]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE
[2017-02-09 11:43:27]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:27]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE,VID
[2017-02-09 11:43:29]<ID PAYLOAD> Type = ID_IPV4_ADDR,ID Data=192.168.1.40
[2017-02-09 11:43:29]**** SENT OUT FIFTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:37]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:40]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:44]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: DEL
[2017-02-09 11:43:49][==== IKE PHASE 1(to 217.***.***.31) START (initiator) ====]
[2017-02-09 11:43:49]**** SENT OUT FIRST MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS
[2017-02-09 11:43:49]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS,VID,VID
[2017-02-09 11:43:50]**** SENT OUT THIRD MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:50]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE
[2017-02-09 11:43:50]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:50]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE,VID
[2017-02-09 11:43:52]<ID PAYLOAD> Type = ID_IPV4_ADDR,ID Data=192.168.1.40
[2017-02-09 11:43:52]**** SENT OUT FIFTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:57]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:44:07]**** RECEIVED SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:44:12]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2017-02-09 11:44:12]<POLICY: VPN-GEIT> PAYLOADS: DEL
I hope this helps to solve the problem.
Additional information: On the same side as the SRX5308, there is still an old FVS318v3. If I configure the VPN on this firewall, the VPN is up in no time...
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
Hi PeterBroersen,
I'm sorry, I clicked "Accept as Solution" accidentally.
Could you compare the parameters of IKE policy and VPN policy on two box? Make sure the all parameters is same except the ip address.
Thanks,
Dan
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
Hello Dan,
I checked and double-checked all the settings, four times. Everything is exactly the same.
Do you want to see any screenprints of something?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
Try changing things like dpd, keep alive, as well as phase one and phase two cryptos. I've not seen problems with netgear stuff connecting with each other, but have seen issues where certain combinations will not work between different brands. Could be a firmware bug and a similar issue causing issues here.
What's the two fvs318s firmware revisions? Are they the same? ie, is the one working on the same firmware as the one that isn't?
Also, you mentioned you replaced the 318 because it could not handle the bandwidth. How much did bandwidth increase to?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
Hi,
I am running VPN between different SRX and FVS devices and never had any problems. However, skip the wizzard and set it up maqnually. When things have started to not work like this I have just deleted everything and started all over which have solved the problem. Also, I use the VPN software Shrew Soft to access the firewalls from a single laptop on the road. Shrewsoft works in the same way as router-router so check if you can connect to both routers by shrewsoft-router. That is one way for problem solving.
-Henrik
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
For what it's worth, I do have this exact type of IPSec tunnel configured and working well, with the 5308 located in our datacenter and the 318 at my home. The tunnel between these two routers has "just worked" since the earliest 5308 firmware I had through 4.3.4-2 just this month while the 318 is on 3.0_28. I'm not sure if that info gives you encouragement or is just frustrating. I did not use the wizard on either side to set them up, just manually set the parameters to match.
Unfortunately I often see similar errors to what you're quoting in your logs (malformed packets, then phase1 failed...) when configuring new VPN tunnels on the 5308, for sure when a Cisco ASA or a simple linux box running racoon is on the far end of the tunnel. It's very, very frustrating.
When I updated the firmware on our 5308 recently, I decided to wipe it completely clean and rebuild all our firewall rules and ipsec parms from scratch rather than restoring from a backup config or anything. I had hoped there was something that had been malconfigured in the older firmware versions and then never cleared which could cause this, but unfortunately many IPSec tunnels appear to be impossible to set up and neither me nor the far-end admins can figure out why because other ones do work. There doesn't seem to be a reason.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
It's on those issues where you can't get a connection no matter what is when I start changing things that shouldn't matter. And it's usually a setting that is changed to something else and then works. (I once had a setup where des wouldn't work but 3des would. Another crazy one was when I turned off dpd everything connected. Crazy stuff!)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
Hello Brent,
Can you send me screenshots of your configuration? Or maybe you can help me, if I send my screenshots to you?
Did you open any ports on your internetmodem?
Any help is welcome.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Re: SRX5308 VPN to FVS318v3
@PeterBroersen wrote:Hello Brent,
Can you send me screenshots of your configuration? Or maybe you can help me, if I send my screenshots to you?
Did you open any ports on your internetmodem?
Any help is welcome.
Hi Peter, sorry for the very long delay; I rarely check back and missed this note. Have you solved your problems with the 5308? If you want to send a screenshot of your configs I could try to compare to my setup. Hopefully though, you're long since sorted out.