Solved
Site to site VPN problem between Netgear FVG318 and Sonicwall TZ170
Posted on 2008-10-12
Hi, I am having problem to setup site to site VPN between a Netgear FVG318 box and Sonicwall TZ170.
I have followed the manuals of both appliances but failed all the time. I have also searched out a KB article of Sonicwall talking about the trick to setup VPN between Netgear FVS318 and Sonicwall box but that didnt fix my problem.
Any help would be much appreciated.
Please find following the details of my configuration and the error logs on both routers as well.
Please feel free to let me know if you need more information.
1. Settings on Sonicwall TZ170
Model: TZ 170 enhanced
Firmware version: SonicOS enhanced 3.1.0.11-30e
Basic network setting:
WAN IP: 60.x.x.147
LAN IP: 192.168.0.1/255.255.255.0
General VPN setting:
"NAT Traversal" disabled.
"IKE Dead Peer Detection" disabled.
"Enable Fragmented Packet Handling" enabled
Security Policy:
IPSec keying mode: IKE using preshared secret
Name: VPN-sonic
Ipsec Primary gateway name or address: 201.x.x.26
Ipsec Secondary gateway name or address: 0.0.0.0
Shared secret: 0123456789
Local IKE ID (optional):(I left it blank)
Peer IKE ID (optional): ( I left it blank)
Local network: 192.168.0.0/255.255.255.0
Remote network: 192.168.200.0/255.255.255.0
IKE (Phase 1) Proposal:
Exchange: main mode
DH Group: group 2
Encryption: 3DES
Authentication: SHA1
Life time(seconds): 28800
Ipsec (phase 2) proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
DH group: group 2
Life time (seconds): 28800
Perfect Forward Secrecy: Enabled
Advanced settings:
Enable keep alive: enabled
2. Settings on Netgear FVG318 :
Model: I reckon this is a FVG318 V2 from the version of firmware
Firmware version: v2.1.2-67R
Basic network setting:
WAN IP: 201.x.x.26
LAN IP: 192.168.200.1
IKE Policy settings:
Direction type: both
Exchange mode: main
Local identifier type: local WAN IP
Local identifier: 201.x.x.26
Remote identifier type: remote WAN IP
Remote identifier: 60.x.x.147
IKE SA Parameters:
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Authentication method: Pre-shared key
Pre-shared Key: 0123456789
DH group: group 2
SA-lifetime (sec): 28800
VPN Policy:
Policy type: Auto policy
Remote endpoint: (IP address) 60.x.x.26
Local IP type: subnet
Local network: 192.168.200.0/255.255.255.0
Remote IP type: subnet
Remote network: 192.168.0.0/255.255.255.0
Auto Policy Parameters:
SA lifetime 28800 seconds
Encryption Algorithm: 3DES
Intergirty Algorithm: SHA-1
PFS key group: DH group 2, enabled
3. VPN log on FVG318:
2008-10-13 : INFO: accept a request to establish IKE-SA: 60.x.x.26
2008-10-13 : INFO: Configuration found for 60.x.x.26.
2008-10-13 : INFO: Initiating new phase 1 negotiation: 201.x.x.147[500]<=>60.x.x.26[500]
2008-10-13 : INFO: Beginning Identity Protection mode.
2008-10-13 : ERROR: Invalid SA protocol type: 0
2008-10-13 : ERROR: Phase 2 negotiation failed due to time up waiting for phase1.
2008-10-13 : ERROR: Phase 1 negotiation failed due to time up for 60.x.x.26[500].
4.VPN log on TZ170
VPN IKE IKE Initiator: No response - remote party timeout
VPN IKE IKE Initiator: No response - remote party timeout
VPN IKE IKE Initiator: Start Main Mode negotiation (Phase 1)
VPN IKE IKE negotiation aborted due to timeout