NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Froese's avatar
Froese
Aspirant
Oct 19, 2016
Solved

VPN no longer working between two FVS318Gv2

I have two FVS318Gv2 at two offices with a VPN tunnel between them that have worked fine until yesterday when the Internet provider was changed at one location. Broadband ISP settings were changed and, under VPN settings, the new WAN IP for location that changed were also changed. Everything works fine (Internet service, port forwarding) except the VPN.

 

Under, VPN / Connection Status, both sides show that "IPsec SA Established" but no traffic flows over this link now; even a ping from "Monitoring / Diagnostic" (via "Ping through VPN tunnel" to LAN IP of other device) does not work.

 

Here is the the VPN log from one of the devices:

 

Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=48796823(0x2e89497)
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=13496147(0xcdef53)
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16
Wed Oct 19 14:58:26 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Responding to new phase 2 negotiation: 166.102.171.xxx0]<=>107.221.112.xxx0]
Wed Oct 19 14:58:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=10825899(0xa530ab)
Wed Oct 19 14:58:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=95706496(0x5b45d80)
Wed Oct 19 14:58:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=235429450(0xe085e4a)
Wed Oct 19 14:44:23 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=96003188(0x5b8e474)
Wed Oct 19 14:44:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=54349087(0x33d4d1f)
Wed Oct 19 14:39:46 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA expired: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=264155747(0xfbeb263)
Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Sending Informational Exchange: delete payload[]
Wed Oct 19 14:10:25 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=95706496(0x5b45d80)
Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=10825899(0xa530ab)
Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16
Wed Oct 19 14:10:24 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Responding to new phase 2 negotiation: 166.102.171.xxx[0]<=>107.221.112.xxx[0]
Wed Oct 19 14:10:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  an undead schedule has been deleted: 'pk_recvupdate'.
Wed Oct 19 14:10:19 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Sending Informational Exchange: delete payload[]
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=105406563(0x6486063)
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=235429450(0xe085e4a)
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Using IPsec SA configuration: 192.168.0.1/24<->172.16.0.1/16
Wed Oct 19 14:10:18 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Responding to new phase 2 negotiation: 166.102.171.xxx[0]<=>107.221.112.xxx[0]
Wed Oct 19 14:10:16 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 166.102.171.xxx->107.221.112.xxx with spi=102875942(0x621c326)
Wed Oct 19 14:10:16 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  [IPSEC_VPN] IPsec-SA established: ESP/Tunnel 107.221.112.xxx->166.102.171.xxx with spi=17450749(0x10a46fd)
Wed Oct 19 14:10:15 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Initiating new phase 2 negotiation: 166.102.171.xxx[500]<=>107.221.112.xxx[0]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Sending Informational Exchange: notify payload[608]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  ISAKMP-SA established for 166.102.171.xxx[500]-107.221.112.xxx[500] with spi:a85a6f598f0b9e1d:3d21e27b77064209
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  NAT not detected
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  NAT-D payload matches for 107.221.112.xxx[500]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  NAT-D payload matches for 166.102.171.xxx[500]
Wed Oct 19 14:10:14 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Received Vendor ID: KAME/racoon
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  For 107.221.112.xxx[500], Selected NAT-T version: RFC 3947
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Received Vendor ID: KAME/racoon
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Received Vendor ID: DPD
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Received Vendor ID: RFC 3947
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Deleting PH1, Disable the sacreate lock
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  ISAKMP-SA deleted for 166.102.171.xxx[500]-107.221.112.xxx[500] with spi:1d6fcad31f1aee28:4e88030e7378cbf3
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 9
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 8
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:   [isakmp_ident.c:190]: XXX: setting vendorid: 4
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:   [isakmp_ident.c:186]: XXX: NUMNATTVENDORIDS: 3
Wed Oct 19 14:10:13 2016 (GMT -0400): [FVS318Gv2] [IKE] INFO:  Beginning Identity Protection mode.

Troubleshooting
VPN IPSEC
  • Froese's avatar
    Froese
    Nov 09, 2016

    I finally had AT&T tech come out and replace the Pace 5268AC with a Motorola NVG589. Set it up as "pass-through" and now everything works fine. The tech said that his was a common problem for business customers using the Pace 5268. Apparently it just can't be made to pass VPN traffic.

14 Replies

  • Danthem's avatar
    Danthem
    NETGEAR Employee Retired
    Oct 19, 2016

    Check your inbound firewall rules on both sides of the VPN, make sure there isn't any "ANY"-service inbound rule.

     

     

    Most of the time when tunnel comes up but traffic not passing it comes down to one of the following;

    *Firewall rules

    *Static routes 

    *ISP 

     

    You can also try rebooting both of the routers or recreating the VPN.

     

    • Froese's avatar
      Froese
      Aspirant
      Oct 19, 2016

      Thanks. I've of course rebooted both ends numerous times.

      • Inbound, I've only got two services: TCP ports 5900-5901 and 10999-11102 on for any IP, all day.
      • I have no Static Routes on either end.
      • As for the ISP, yes this might be the issue; we changed from Earthlink Busienss to AT&T U-verse yesterday.

      Again, everything else is working, even the tunnel comes up, but traffic won't pass through it. It sounds like a routing issue, but even if I try to ping LAN IP of other device using Diagnosics, Ping, "Ping through VPN tunnel" checked and correct VPN Policy selected, it comes up "Ping Failed."

  • Dan_Z's avatar
    Dan_Z
    NETGEAR Expert
    Oct 21, 2016

    Hi Froese,
    Welcome to the community!

    Because the broadband ISP settings were changed on your devices,So suggest to delete all VPN configuration
    and recreate it.

    Below is the config steps for your reference:
    1. Topology:FVS318Gv2-01[WAN]----[WAN]FVS318Gv2-02
    2. Go to Security->Firewall->Attack Checks,enable Respond to Ping on Internet Ports on 2 FVS318Gv2
    3. Make sure FVS318Gv2-01'WAN can ping FVS318Gv2-02'WAN,can do it on "Monitoring->Diagnostics" page
    4. Delete the VPN policies and IKE policies on 2 FVS318Gv2
    5. Use VPN Wizard recreate VPN policy

    Thanks

    • Froese's avatar
      Froese
      Aspirant
      Oct 24, 2016

      Thank you, but I have already delete and re-created VPN setting on both sides.

       

      The issue seems to be with the AT&T supplied Pace 5268AC RG. Even though I've put the FVS318Gv2 in the RG's  "DMZ+" and disabled everthing else that I could find, it still seems to be blocking GRE packets (although tunnel is set up.)

      • Dan_Z's avatar
        Dan_Z
        NETGEAR Expert
        Oct 24, 2016

        Hi Froese,
        Thanks for your reply.
        Could you tell me the internet connection mode,PPPOE,ADSL or other?

         

        Thanks.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More