Orbi WiFi 7 RBE973
Reply

Re: SRX5308 VPN to FVS318v3

PeterBroersen
Aspirant

SRX5308 VPN to FVS318v3

Does anybody know if it is possible to set up a VPN connection between a SRX5308 and a FVS318v3?

I have succesfully connected 2 FVS318v3's with VPN, but now 1 of them needs to be replaced because the local troughput was not enough for the new internet connection.

 

Hope somebody can help me.

Model: FVS318v3|Cable/DSL ProSafe VPN Firewall with 8-port switch,SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 1 of 11
Dan_Z
NETGEAR Expert

Re: SRX5308 VPN to FVS318v3

Hello,
Welcome to the community!

Here is the reference link:
http://kb.netgear.com/24278/Configuring-a-Box-to-Box-VPN-on-ProSAFE-ProSECURE-routers-using-the-VPN-...

 

Thanks

Message 2 of 11
PeterBroersen
Aspirant

Re: SRX5308 VPN to FVS318v3

Hello Dan,

 

Thanks for your answer. But unfortunately: I already tried to use the wizard.

On the SRX5308 I see 'IPsec SA Not Established' on the Connection Status-tab.

And on the Monitoring-page on the tab 'VPN Logs':

 

Thu Feb 09 10:47:06 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 83.***.***.69[500]. 6cf7de814b79cabb:cdc28d9e092f42f8
Thu Feb 09 10:46:58 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Ignore information because the message has no hash payload.
Thu Feb 09 10:46:52 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:47 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:42 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Malformed packet of payload length 12644 and total length 40.
Thu Feb 09 10:46:37 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  invalid ID payload.
Thu Feb 09 10:46:37 2017 (GMT +0100): [SRX5308] [IKE] WARNING:  ID value mismatched.
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Beginning Identity Protection mode.
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received request for new phase 1 negotiation: 192.168.178.51[500]<=>83.***.***.69[500]
Thu Feb 09 10:46:34 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Configuration found for 83.***.***.69[500].
Thu Feb 09 10:46:26 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Phase 1 negotiation failed due to time up for 83.***.***.69[500]. 6d54b0ccf4b96a46:5db092d37e9b5e44
Thu Feb 09 10:46:18 2017 (GMT +0100): [SRX5308] [IKE] ERROR:  Ignore information because the message has no hash payload.
Thu Feb 09 10:46:13 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Malformed packet of payload length 807 and total length 40.
Thu Feb 09 10:46:08 2017 (GMT +0100): [SRX5308] [IKE] INFO:  Received Malformed packet of payload length 807 and total length 40.

 

On the FVS318v3 VPN Status/Log:

[2017-02-09 11:43:26]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS,VID,VID
[2017-02-09 11:43:27]**** SENT OUT  THIRD MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:27]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE
[2017-02-09 11:43:27]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:27]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE,VID
[2017-02-09 11:43:29]<ID PAYLOAD> Type = ID_IPV4_ADDR,ID Data=192.168.1.40
[2017-02-09 11:43:29]**** SENT OUT  FIFTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:37]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:40]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:44]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: DEL
[2017-02-09 11:43:49][==== IKE PHASE 1(to 217.***.***.31) START (initiator) ====]
[2017-02-09 11:43:49]**** SENT OUT  FIRST MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS
[2017-02-09 11:43:49]**** RECEIVED SECOND MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:49]<POLICY: VPN-GEIT> PAYLOADS: SA,PROP,TRANS,VID,VID
[2017-02-09 11:43:50]**** SENT OUT  THIRD MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:50]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE
[2017-02-09 11:43:50]**** RECEIVED FOURTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:50]<POLICY: VPN-GEIT> PAYLOADS: KE,NONCE,VID
[2017-02-09 11:43:52]<ID PAYLOAD> Type = ID_IPV4_ADDR,ID Data=192.168.1.40
[2017-02-09 11:43:52]**** SENT OUT  FIFTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:43:57]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:44:07]**** RECEIVED  SIXTH MESSAGE OF MAIN MODE ****
[2017-02-09 11:44:12]**** SENT OUT INFORMATIONAL EXCHANGE MESSAGE ****
[2017-02-09 11:44:12]<POLICY: VPN-GEIT> PAYLOADS: DEL

 

 

I hope this helps to solve the problem.

 

Additional information: On the same side as the SRX5308, there is still an old FVS318v3. If I configure the VPN on this firewall, the VPN is up in no time...

Message 3 of 11
Dan_Z
NETGEAR Expert

Re: SRX5308 VPN to FVS318v3

Hi PeterBroersen,
I'm sorry, I clicked "Accept as Solution" accidentally.
Could you compare the parameters of IKE policy and VPN policy on two box? Make sure the all parameters is same except the ip address.

Thanks,

Dan

Message 4 of 11
PeterBroersen
Aspirant

Re: SRX5308 VPN to FVS318v3

Hello Dan,

 

I checked and double-checked all the settings, four times. Everything is exactly the same.

Do you want to see any screenprints of something?

Message 5 of 11
SamirD
Prodigy

Re: SRX5308 VPN to FVS318v3

Try changing things like dpd, keep alive, as well as phase one and phase two cryptos.  I've not seen problems with netgear stuff connecting with each other, but have seen issues where certain combinations will not work between different brands.  Could be a firmware bug and a similar issue causing issues here.

 

What's the two fvs318s firmware revisions?  Are they the same?  ie, is the one working on the same firmware as the one that isn't?

 

Also, you mentioned you replaced the 318 because it could not handle the bandwidth.  How much did bandwidth increase to?

Message 6 of 11
HenrikA
Tutor

Re: SRX5308 VPN to FVS318v3

Hi,

I am running VPN between different SRX and FVS devices and never had any problems. However, skip the wizzard and set it up maqnually. When things have started to not work like this I have just deleted everything and started all over which have solved the problem. Also, I use the VPN software Shrew Soft to access the firewalls from a single laptop on the road. Shrewsoft works in the same way as router-router so check if you can connect to both routers by shrewsoft-router. That is one way for problem solving.

-Henrik

Message 7 of 11
BrentHarsh
Aspirant

Re: SRX5308 VPN to FVS318v3

For what it's worth, I do have this exact type of IPSec tunnel configured and working well, with the 5308 located in our datacenter and the 318 at my home.  The tunnel between these two routers has "just worked" since the earliest 5308 firmware I had through 4.3.4-2 just this month while the 318 is on 3.0_28.  I'm not sure if that info gives you encouragement or is just frustrating.  I did not use the wizard on either side to set them up, just manually set the parameters to match.

 

Unfortunately I often see similar errors to what you're quoting in your logs (malformed packets, then phase1 failed...) when configuring new VPN tunnels on the 5308, for sure when a Cisco ASA or a simple linux box running racoon is on the far end of the tunnel.  It's very, very frustrating.

 

When I updated the firmware on our 5308 recently, I decided to wipe it completely clean and rebuild all our firewall rules and ipsec parms from scratch rather than restoring from a backup config or anything.  I had hoped there was something that had been malconfigured in the older firmware versions and then never cleared which could cause this, but unfortunately many IPSec tunnels appear to be impossible to set up and neither me nor the far-end admins can figure out why because other ones do work.  There doesn't seem to be a reason.

Model: FVS318v3|Cable/DSL ProSafe VPN Firewall with 8-port switch,SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 8 of 11
SamirD
Prodigy

Re: SRX5308 VPN to FVS318v3

It's on those issues where you can't get a connection no matter what is when I start changing things that shouldn't matter.  And it's usually a setting that is changed to something else and then works.  (I once had a setup where des wouldn't work but 3des would.  Another crazy one was when I turned off dpd everything connected.  Crazy stuff!)

Message 9 of 11
PeterBroersen
Aspirant

Re: SRX5308 VPN to FVS318v3

Hello Brent,

 

Can you send me screenshots of your configuration? Or maybe you can help me, if I send my screenshots to you?

Did you open any ports on your internetmodem?

 

Any help is welcome.

Message 10 of 11
BrentHarsh
Aspirant

Re: SRX5308 VPN to FVS318v3


@PeterBroersen wrote:

Hello Brent,

 

Can you send me screenshots of your configuration? Or maybe you can help me, if I send my screenshots to you?

Did you open any ports on your internetmodem?

 

Any help is welcome.


Hi Peter, sorry for the very long delay; I rarely check back and missed this note.  Have you solved your problems with the 5308?  If you want to send a screenshot of your configs I could try to compare to my setup.  Hopefully though, you're long since sorted out.

Model: SRX5308|PROSAFE Gigabit Quad WAN SSL & IPSEC VPN Firewall
Message 11 of 11
Discussion stats
  • 10 replies
  • 4957 views
  • 0 kudos
  • 5 in conversation
Announcements