Jump to content

hudog

Members
  • Content Count

    0
  • Joined

  • Last visited

About hudog

  • Rank
    Newbie
  • Birthday 04/12/1976

Single Status Update

See all updates by hudog

  1. If ever it does not help, delete the existing IKE and VPN policies. Then, use the VPN Wizard to set up a box-to-box VPN between the FVS318G and SRX5308. Refer to the link below as reference guide:

    You are correct, the device that needs to support is an SRX5308, and from what I read, it should be able to support 2 VPN tunnels. While I had my iPhone connected yesterday, the VPN tyunnel kept crashing. Since I disconnected my iphone, the other VPN tunnel has been rock solid (thanks for the suggestiuon with the Wizard. (I am still confused about the IP addresses in the VPN Wizard. the instructions seem to indicate the the "subnet" should be specified with a "starting IP address" of x.x.x.0. I could not get that to work. Only when I entered x.x.x.1 for both subnets did I get a connection).

    I'm trying to set up a site-to-site IPSEC VPN tunnel. I've done this multiple times on other routers, but this Netgear UTM25S firewall is driving me crazy with all the problems it's causing. I've set up the IKE and VPN policies on the UTM25S and on the corresponding firewall (a Watchguard Firebox x750e) and everything seems to be working fine. I can access clients and servers on both sides of the tunnel, so it would seem everything is working perfectly. Under "Monitoring" on the router it also says "IPSEC SA is established". But when I take a look at the IPSEC VPN query log I can see the following error messages: 2014-06-04 11:52:48 [UTM25S] DPD R-U-THERE-ACK sent to "82.198.200.3[500]"_ 2014-06-04 11:52:48 [UTM25S] DPD R-U-THERE received from "82.198.200.3[500]"_ 2014-06-04 11:42:21 [UTM25S] an undead schedule has been deleted: 'quick_i1prep'._ 2014-06-04 11:42:21 [UTM25S] Phase 2 negotiation failed due to time up. 31b2159e95d4fe8f:40857ef01c3da4a3:eeaeb088_ 2014-06-04 11:42:11 [UTM25S] Unknown notify message from 82.198.200.3[500].No phase2 handle found._ 2014-06-04 11:42:01 [UTM25S] Unknown notify message from 82.198.200.3[500].No phase2 handle found._ 2014-06-04 11:41:51 [UTM25S] Unknown notify message from 82.198.200.3[500].No phase2 handle found._ 2014-06-04 11:41:41 [UTM25S] Unknown notify message from 82.198.200.3[500].No phase2 handle found._ 2014-06-04 11:41:31 [UTM25S] Unknown notify message from 82.198.200.3[500].No phase2 handle found._ 2014-06-04 11:41:21 [UTM25S] Unknown notify message from 82.198.200.3[500].No phase2 handle found._ 2014-06-04 11:41:21 [UTM25S] Initiating new phase 2 negotiation: 82.198.195.15[0]=82.198.200.3[0]_ 2014-06-04 11:41:20 [UTM25S] [CONNECT] IPsec-SA established: ESP/Tunnel 82.198.195.15-82.198.200.3 with spi=1587539855(0x5e9fef8f)_ 2014-06-04 11:41:20 [UTM25S] IPsec-SA established: ESP/Tunnel 82.198.195.15-82.198.200.3 with spi=1587539855(0x5e9fef8f)_ 2014-06-04 11:41:20 [UTM25S] [CONNECT] IPsec-SA established: ESP/Tunnel 82.198.200.3-82.198.195.15 with spi=266534896(0xfe2fff0)_ 2014-06-04 11:41:20 [UTM25S] IPsec-SA established: ESP/Tunnel 82.198.200.3-82.198.195.15 with spi=266534896(0xfe2fff0)_ 2014-06-04 11:41:20 [UTM25S] Using IPsec SA configuration: 192.168.205.0/24-192.168.200.0/24_ 2014-06-04 11:41:20 [UTM25S] Responding to new phase 2 negotiation: 82.198.195.15[0]=82.198.200.3[0]_ 2014-06-04 11:41:20 [UTM25S] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_ 2014-06-04 11:41:20 [UTM25S] ISAKMP-SA established for 82.198.195.15[500]-82.198.200.3[500] with spi:31b2159e95d4fe8f:40857ef01c3da4a3_ 2014-06-04 11:41:19 [UTM25S] DPD is Enabled_ 2014-06-04 11:41:19 [UTM25S] Received Vendor ID: DPD_ 2014-06-04 11:41:19 [UTM25S] Received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt_ 2014-06-04 11:41:19 [UTM25S] Setting DPD Vendor ID_ 2014-06-04 11:41:19 [UTM25S] Beginning Identity Protection mode._ 2014-06-04 11:41:19 [UTM25S] Initiating new phase 1 negotiation: 82.198.195.15[500]=82.198.200.3[500]_ 2014-06-04 11:41:19 [UTM25S] Configuration found for 82.198.200.3._ 2014-06-04 11:41:19 [UTM25S] Using IPsec SA configuration: 192.168.205.0/24-192.168.200.0/24_ 2014-06-04 11:41:07 [UTM25S] Adding IKE configuration with identifer "Tunnel TP-KBG"_ 2014-06-04 11:41:07 [UTM25S] Adding IPSec configuration with identifier "Tunnel TP-KBG"_ In the log it says that the Phase 2 negotiation failed. But still, somehow, the tunnel is actually working? It isn't working perfectly for that matter - we are experiencing massive packet losses on all communication over that router. I would assume that's some kind of routing issue, but I want to get that error from the log out of the way first before I tackle the next problem. Does anyone have an idea on this? Edit: Here are screenshots of the UTM25S' IKE and VPN policy:

    3108.Clipboard01.png

    I started everything yesterday again, and the VPN seemed to hold (without me trying to use my iPhone. This morning evrything was fine. Then I drive to my office connect to the network there, and the Tunnel crashes (no access to resources at the other side). You would think that the VPN status or log should show something, right? Well, there is nothing. The Modem reports that it is connected, and the last entries int the log show "IPsec-SA established"

    First the solution: I followed DaneA's advice, deleted the VPN policies and set them up again with the Wizard. Worked, but every time, after a while the connection would drop. I looked at the VPN logs, and I think I know what is going on, but not sure what the solution is.

    I believe you are referring to the SRX5308 having both box-to-box IPSec VPN with the FVS318G and L2TP VPN on your iPhone at the same time. The SRX5308 should be able to handle both VPN connections. Both VPN connections are dependent to the subscribed bandwidth with your ISP.

    netgear-fwg114pv2-fwg114pv2-product-datasheet-139ff48_1_2d280782.pngVPN-Environment-Manager.png

    It seemed thatyour concern on your post is the same on this forum thread. I will close this thread and kindly continue to the new thread you have created.

    In order to do have control of both routers at the same time (I can't be in two locations at the same time), I decided to log into one of the routers through my iphone (L2TP). I then went to the other site and did the wizard thing there as well.

    Netgear vpn phase 2 failed

    It therefore seems that the VPN tunnel between the 2 routers is stable until my iPhone breaks it. Is that possible? Can the router not maintain 2 different VPN tunnels at the same time? Why would the 2 tunnels interfere?

    The system seems to work fine when I boot up the system. SA lifetime is set to 28,800, VPN lifetime to 3,600. What I see is that the IPse-SA expires about every hour (curiously, it seems to be every 48 minutes instead of 60), and renews without a problem (srx ip replaced with x.x.x.x, FV IP replaced with y.y.y.y), read from bottom up:

    The internal subnets for the two Netgear boxes have different IP sections 192.168.A.x and 192.168.B.x. The L2TP server is enabled and has a third section (from 192,168.C.100 to 192.168.C.120. The rest of the VPN channels was setup exactly as described in a document I found here for iPhone setups.

×