Solved

Site to site VPN problem between Netgear FVG318 and Sonicwall TZ170

Posted on 2008-10-12
9
3 solutions
11,375 Views
Last Modified: 2013-11-16
Hi, I am having problem to setup site to site VPN between a Netgear FVG318 box and Sonicwall TZ170.
I have followed the manuals of both appliances but failed all the time. I have also searched out a KB article of Sonicwall talking about the trick to setup VPN between Netgear FVS318 and Sonicwall box but that didnt fix my problem.

Any help would be much appreciated.
 
Please find following the details of my configuration and the error logs on both routers as well.
Please feel free to let me know if you need more information.

1. Settings on Sonicwall TZ170
Model: TZ 170 enhanced
Firmware version: SonicOS enhanced 3.1.0.11-30e
Basic network setting:
  WAN IP: 60.x.x.147
  LAN IP: 192.168.0.1/255.255.255.0
General VPN setting:
  "NAT Traversal"  disabled.
  "IKE Dead Peer Detection"  disabled.
  "Enable Fragmented Packet Handling"  enabled
Security Policy:
  IPSec keying mode: IKE using preshared secret
  Name: VPN-sonic
  Ipsec Primary gateway name or address: 201.x.x.26
  Ipsec Secondary gateway name or address: 0.0.0.0
  Shared secret: 0123456789
  Local IKE ID (optional):(I left it blank)
  Peer IKE ID (optional): ( I left it blank)
Local network: 192.168.0.0/255.255.255.0
Remote network: 192.168.200.0/255.255.255.0
IKE (Phase 1) Proposal:
  Exchange: main mode
  DH Group: group 2
  Encryption: 3DES
  Authentication: SHA1
  Life time(seconds): 28800
Ipsec (phase 2) proposal
  Protocol: ESP
  Encryption: 3DES
  Authentication: SHA1
  DH group: group 2
  Life time (seconds): 28800
  Perfect Forward Secrecy: Enabled
Advanced settings:
  Enable keep alive: enabled

2. Settings on Netgear FVG318 :
Model: I reckon this is a FVG318 V2 from the version of firmware
Firmware version: v2.1.2-67R
Basic network setting:
  WAN IP: 201.x.x.26
  LAN IP: 192.168.200.1

IKE Policy settings:
  Direction type: both
  Exchange mode: main
  Local identifier type: local WAN IP
  Local identifier: 201.x.x.26
  Remote identifier type: remote WAN IP
  Remote identifier: 60.x.x.147
IKE SA Parameters:
  Encryption Algorithm: 3DES
  Authentication Algorithm: SHA-1
  Authentication method: Pre-shared key
  Pre-shared Key: 0123456789
  DH group: group 2
  SA-lifetime (sec): 28800
VPN Policy:
  Policy type: Auto policy
  Remote endpoint: (IP address) 60.x.x.26
  Local IP type: subnet
  Local network: 192.168.200.0/255.255.255.0
  Remote IP type: subnet
  Remote network: 192.168.0.0/255.255.255.0
Auto Policy Parameters:
  SA lifetime 28800 seconds
  Encryption Algorithm: 3DES
  Intergirty Algorithm: SHA-1
  PFS key group: DH group 2, enabled

3. VPN log on FVG318:
2008-10-13 : INFO:  accept a request to establish IKE-SA: 60.x.x.26
2008-10-13 : INFO:  Configuration found for 60.x.x.26.
2008-10-13 : INFO:  Initiating new phase 1 negotiation: 201.x.x.147[500]<=>60.x.x.26[500]
2008-10-13 : INFO:  Beginning Identity Protection mode.
2008-10-13 : ERROR:  Invalid SA protocol type: 0
2008-10-13 : ERROR:  Phase 2 negotiation failed due to time up waiting for phase1.
2008-10-13 : ERROR:  Phase 1 negotiation failed due to time up for 60.x.x.26[500].

4.VPN log on TZ170
VPN IKE      IKE Initiator: No response - remote party timeout      
VPN IKE      IKE Initiator: No response - remote party timeout      
VPN IKE      IKE Initiator: Start Main Mode negotiation (Phase 1)      
VPN IKE      IKE negotiation aborted due to timeout      

0
Comment
Question by:brothertu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Join The Community
  • 4
  • 3
9 Comments
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 100 total points
ID: 22702535
1)  make sure you have the latest firmware on both

2) make sure the public IPs are pingable.

3) It looks good from the config point, but it could be a minor item messing it up.


I hope this helps !
0
 
LVL 32

Assisted Solution

by:dpk_wal
dpk_wal earned 150 total points
ID: 22703841
The logs you have posted indicate not even the phase I of the VPN negotiation is not going through.

This can possible mean mismatch of one of: pre-shared key; mode [main or aggressive]; incorrect public IP specification at one of the ends; hashing/authentication algorithm.

Further on sonicwall, you have:

>>   Local IKE ID (optional):(I left it blank)
>>  Peer IKE ID (optional): ( I left it blank)
For local IKE ID put the WAN IP of Sonicwall; for Peer put public IP of Netgear.

Please check and update.

Thank you.
0
 
LVL 1

Author Comment

by:brothertu
ID: 22710173
Thanks lot for your reply.
Some more background:
The head office is using a static WAN IP which is 60.x.x.147. A ADSL modem is in front of the Sonicwall and it was configured as bridge mode.
 The branch B is getting IP dynamicaly via PPPOE on the Netgear router, which is '201.x.x.26" at the moment. A cable modem is in front of the Netgear box. I am not able to access that modem but I think it was also configured as bridge mode because the Netgear is getting WAN IP via PPPOE directly.

To answer your questions:
Sysexpert:
The Sonicwall is pingable but not the Netgear one. I can remotely access Netgear box though.

Dpk wal:
I have done that before I posted the question but it didn't make any difference. So I just left it blank because they are "optional".
What warried me much is the error log on Netgear side: "ERROR:  Invalid SA protocol type: 0" which indicates the mismatch of those things you mentioned. I have checked on both sites but could find any mismatch.

I am wondering if it's the dynamic IP problem on the Netgear side even though the IP address on Netgear has not been changed.
A question in my mind is: would it be possible that the VPN can detect  the Netgear's IP type is dynamic?

0
Everything You Need to Know about Petya 2.0

Get an overview of the what, when and how of Petya 2.0  from our threat analyst Marc Labilerte, as well as a look at how WatchGuard Total Security Suite protected our customers from the recent attack!

Tell me more!
 
LVL 1

Accepted Solution

by:
brothertu earned 0 total points
ID: 22710754
The VPN is working now!
What I did is to change the WAN IP to FQDN name and the Netgear has been configured a ddns name so as to do this.

I'd like to assign the points to someone who can give some explanations on why it didn't work with IP address even if the IP didn't change on Netgear box. Because in my understanding, the dynamic IP can be treated as a static one as long as it keep the same.

Many thanks.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22711710
As the IP address was dynamic; there is a possibility that the IP address changed between the time you configured the router and when the VPN tunnel was negotiated; as you have ddns this would mean that whatever the IP address it would always be reachable through the name.
Normally when you configure VPN with dynamic IP; the VPN would come up but would go down when the IP address changes,

Other than this I cannot think of any other reason.

Thank you.
0
 
LVL 1

Author Comment

by:brothertu
ID: 22716636
Hi Dpk wal,
The IP address hasn't been changed on the Netgear box since after the configuration done as the modem has been running with no reboot since then.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 22717854
I have no logical explanation to offer for this behavior.
0
 
LVL 1

Author Comment

by:brothertu
ID: 22811218
Hi Moderator,
Sorry, I didn't mean to choose their posts as solutions though I'd like to assign points to them.
The comment I posted at 14th of October shoud be the right solution for my case.
I wonder if you could help me out with this.
Many thanks.
0

Featured Post

Turn Insights Into Action

You’ve already invested in ITSM tools, chat applications, automation utilities, and more. Fortify these solutions with intelligent communications so you can drive business processes forward.

With xMatters, you'll never miss a beat.

Get a Free Trial
Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Policy Based Routing (PBR) with SonicWALL firewall and Websense Gateway.
Article by: amatson78
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Spamhaus DROP list implementation for Windows Advanced Firewall
Article by: Shaun
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Setup Mikrotik routers with OSPF… Part 1
Video by: Dirk
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Setup Mikrotik routers with OSPF… Part 3
Video by: Dirk
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Advertise Here

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Advertise Here