Link to home
Create AccountLog in
Routers

Routers

--

Questions

--

Followers

Top Experts

Avatar of ChrisHelvey
ChrisHelvey

Netgear Router to Router VPN
Firstly:
I am 2500 miles away from either router, so I do NOT have physical access.
I DO have administrative access to both routers via browser.

We have two Netgear routers – Main branch has a UTM5 and remote branch has FVS338.
We have had a typical VPN between these two for a long time. The settings are as follows and were created with the Netgear VPN wizard.

Main branch:
Public IP= 216.153.170.86 (static) and Private IP=192.168.0.1/255.255.255.0

Remote IP = 99.23.53.182 (static) and Private IP=10.1.0.1/255.255.0.0  (yes, class B)

Our UTM5 had severely outdated firmware and was consistently becoming unresponsive every a few weeks. Per recommendation (lots of people complained about this,) I upgraded the firmware this weekend. No troubles there. Everything appeared to be back up, including the VPN (IPSec established.) I thought all was well.

Today, no traffic can go between the subnets, but the VPN shows as established.

Thinking this could be an issue with an also very old firmware in the FVS318, I updated its firmware as well. Same issue.

I then deleted the VPN configuration from both sides and rebuilt them using the Netgear wizard, using defaults and just plugging in my IP details.

Again, the link comes up, showing established, but I cannot ping anything on the other side (say, the router at 10.1.0.1 or a jetdirect printer at 10.1.100.6.)

I have rebooted both routers numerous times.
I have tried both enabling and disabling Dead Peer Detection on both ends.
Any ideas? This is all since the update. Should I go back to the previous image or am I missing something? (I’m afraid to go backwards because I fear I would permanently lose my connection to the router.) I saw something about a mode config record, but don’t know what that is. Also, probably because the VPN is not all the way up, I do not see a route in the table for the other end.

Please help!

Here are Logs:

UTM5 WITHOUT DPD enabled:

2013-03-25 13:57:52      [UTM5] [CONNECT] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=37423574(0x23b09d6)_
2013-03-25 13:57:52      [UTM5] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=37423574(0x23b09d6)_
2013-03-25 13:57:51      [UTM5] [CONNECT] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=3408810(0x3403aa)_
2013-03-25 13:57:51      [UTM5] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=3408810(0x3403aa)_
2013-03-25 13:57:50      [UTM5] Initiating new phase 2 negotiation: 216.153.170.86[0]<=>99.23.53.182[0]_
2013-03-25 13:57:50      [UTM5] Configuration found for 99.23.53.182._
2013-03-25 13:57:50      [UTM5] Using IPsec SA configuration: 192.168.0.0/24<->10.1.0.0/16_
2013-03-25 13:57:34      [UTM5] ISAKMP-SA established for 216.153.170.86[500]-99.23.53.182[500] with spi:5d6a91db38a4f303:354af4cd5511e159_
2013-03-25 13:57:34      [UTM5] NAT not detected _
2013-03-25 13:57:34      [UTM5] NAT-D payload matches for 99.23.53.182[500]_
2013-03-25 13:57:34      [UTM5] NAT-D payload matches for 216.153.170.86[500]_
2013-03-25 13:57:34      [UTM5] Received Vendor ID: KAME/racoon_
2013-03-25 13:57:33      [UTM5] Setting DPD Vendor ID_
2013-03-25 13:57:33      [UTM5] For 99.23.53.182[500], Selected NAT-T version: RFC XXXX_
2013-03-25 13:57:33      [UTM5] DPD is Enabled_   (NOTE FROM ME – THIS REALLY IS DISABLED.)

2013-03-25 13:57:33      [UTM5] Received Vendor ID: DPD_
2013-03-25 13:57:33      [UTM5] Received Vendor ID: RFC XXXX_
2013-03-25 13:57:33      [UTM5] Beginning Identity Protection mode._
2013-03-25 13:57:33      [UTM5] Received request for new phase 1 negotiation: 216.153.170.86[500]<=>99.23.53.182[500]_
2013-03-25 13:57:33      [UTM5] local port: 500_
2013-03-25 13:57:33      [UTM5] Configuration found for 99.23.53.182[500]._
2013-03-25 13:57:30      [UTM5] Purged IPsec-SA with proto_id=ESP and spi=259435029(0xf76aa15)._
2013-03-25 13:57:30      [UTM5] Purged IPsec-SA with proto_id=ESP and spi=110247779(0x6923f63)._
2013-03-25 13:57:30      [UTM5] an undead schedule has been deleted: 'pk_recvupdate'._
2013-03-25 13:57:30      [UTM5] an undead schedule has been deleted: 'pk_recvupdate'._
2013-03-25 13:57:30      [UTM5] Sending Informational Exchange: delete payload[]_
2013-03-25 13:57:30      [UTM5] [CONNECT] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=110247779(0x6923f63)_
2013-03-25 13:57:30      [UTM5] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=110247779(0x6923f63)_
2013-03-25 13:57:30      [UTM5] [CONNECT] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=259435029(0xf76aa15)_
2013-03-25 13:57:30      [UTM5] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=259435029(0xf76aa15)_
2013-03-25 13:57:30      [UTM5] [CONNECT] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=155119288(0x93eeeb8)_
2013-03-25 13:57:30      [UTM5] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=155119288(0x93eeeb8)_
2013-03-25 13:57:30      [UTM5] [CONNECT] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=248478454(0xecf7af6)_
2013-03-25 13:57:30      [UTM5] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=248478454(0xecf7af6)_
2013-03-25 13:57:29      [UTM5] Using IPsec SA configuration: 192.168.0.0/24<->10.1.0.0/16_
2013-03-25 13:57:29      [UTM5] Responding to new phase 2 negotiation: 216.153.170.86[0]<=>99.23.53.182[0]_
2013-03-25 13:57:28      [UTM5] Initiating new phase 2 negotiation: 216.153.170.86[0]<=>99.23.53.182[0]_
2013-03-25 13:57:27      [UTM5] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2013-03-25 13:57:27      [UTM5] ISAKMP-SA established for 216.153.170.86[500]-99.23.53.182[500] with spi:17a8aa2a88c32178:2e72a2f726ccb75a_
2013-03-25 13:57:27      [UTM5] NAT not detected _
2013-03-25 13:57:27      [UTM5] NAT-D payload matches for 99.23.53.182[500]_
2013-03-25 13:57:27      [UTM5] NAT-D payload matches for 216.153.170.86[500]_
2013-03-25 13:57:27      [UTM5] Received Vendor ID: KAME/racoon_
2013-03-25 13:57:26      [UTM5] For 99.23.53.182[500], Selected NAT-T version: RFC XXXX_
2013-03-25 13:57:26      [UTM5] Received Vendor ID: KAME/racoon_


FVS318 WITHOUT DPD enabled:
2013 Mar 25 13:57:52 [FVS338] [IKE] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=3408810(0x3403aa)_
2013 Mar 25 13:57:52 [FVS338] [IKE] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=37423574(0x23b09d6)_
2013 Mar 25 13:57:50 [FVS338] [IKE] Using IPsec SA configuration: 10.1.0.0/16<->192.168.0.0/24_
2013 Mar 25 13:57:50 [FVS338] [IKE] Responding to new phase 2 negotiation: 99.23.53.182[0]<=>216.153.170.86[0]_
2013 Mar 25 13:57:34 [FVS338] [IKE] ISAKMP-SA established for 99.23.53.182[500]-216.153.170.86[500] with spi:5d6a91db38a4f303:354af4cd5511e159_
2013 Mar 25 13:57:34 [FVS338] [IKE] NAT not detected _
2013 Mar 25 13:57:34 [FVS338] [IKE] NAT-D payload matches for 216.153.170.86[500]_
2013 Mar 25 13:57:34 [FVS338] [IKE] NAT-D payload matches for 99.23.53.182[500]_
2013 Mar 25 13:57:34 [FVS338] [IKE] Received Vendor ID: KAME/racoon_
2013 Mar 25 13:57:33 [FVS338] [IKE] For 216.153.170.86[500], Selected NAT-T version: RFC XXXX_
2013 Mar 25 13:57:33 [FVS338] [IKE] Received Vendor ID: KAME/racoon_
2013 Mar 25 13:57:33 [FVS338] [IKE] DPD is Enabled_
2013 Mar 25 13:57:33 [FVS338] [IKE] Received Vendor ID: DPD_
2013 Mar 25 13:57:33 [FVS338] [IKE] Received Vendor ID: RFC XXXX_
2013 Mar 25 13:57:30 [FVS338] [IKE] Purged IPsec-SA with proto_id=ESP and spi=155119288(0x93eeeb8)._
2013 Mar 25 13:57:30 [FVS338] [IKE] Purged IPsec-SA with proto_id=ESP and spi=248478454(0xecf7af6)._
                - Last output repeated twice -
2013 Mar 25 13:57:30 [FVS338] [IKE] an undead schedule has been deleted: 'pk_recvupdate'._
2013 Mar 25 13:57:30 [FVS338] [IKE] Sending Informational Exchange: delete payload[]_
2013 Mar 25 13:57:30 [FVS338] [IKE] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=248478454(0xecf7af6)_
2013 Mar 25 13:57:30 [FVS338] [IKE] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=155119288(0x93eeeb8)_
2013 Mar 25 13:57:30 [FVS338] [IKE] IPsec-SA established: ESP/Tunnel 99.23.53.182->216.153.170.86 with spi=259435029(0xf76aa15)_
2013 Mar 25 13:57:30 [FVS338] [IKE] IPsec-SA established: ESP/Tunnel 216.153.170.86->99.23.53.182 with spi=110247779(0x6923f63)_
2013 Mar 25 13:57:29 [FVS338] [IKE] Using IPsec SA configuration: 10.1.0.0/16<->192.168.0.0/24_
2013 Mar 25 13:57:29 [FVS338] [IKE] Responding to new phase 2 negotiation: 99.23.53.182[0]<=>216.153.170.86[0]_
2013 Mar 25 13:57:28 [FVS338] [IKE] Initiating new phase 2 negotiation: 99.23.53.182[0]<=>216.153.170.86[0]_
2013 Mar 25 13:57:27 [FVS338] [IKE] Sending Informational Exchange: notify payload[INITIAL-CONTACT]_
2013 Mar 25 13:57:27 [FVS338] [IKE] ISAKMP-SA established for 99.23.53.182[500]-216.153.170.86[500] with spi:17a8aa2a88c32178:2e72a2f726ccb75a_
2013 Mar 25 13:57:26 [FVS338] [IKE] NAT not detected _
2013 Mar 25 13:57:26 [FVS338] [IKE] NAT-D payload matches for 216.153.170.86[500]_
2013 Mar 25 13:57:26 [FVS338] [IKE] NAT-D payload matches for 99.23.53.182[500]_
2013 Mar 25 13:57:26 [FVS338] [IKE] Received Vendor ID: KAME/racoon_
2013 Mar 25 13:57:26 [FVS338] [IKE] Setting DPD Vendor ID_
2013 Mar 25 13:57:26 [FVS338] [IKE] For 216.153.170.86[500], Selected NAT-T version: RFC XXXX_
2013 Mar 25 13:57:26 [FVS338] [IKE] DPD is Enabled_
2013 Mar 25 13:57:26 [FVS338] [IKE] Received Vendor ID: DPD_
2013 Mar 25 13:57:26 [FVS338] [IKE] Received Vendor ID: RFC XXXX_
2013 Mar 25 13:57:26 [FVS338] [IKE] Beginning Identity Protection mode._
2013 Mar 25 13:57:26 [FVS338] [IKE] Received request for new phase 1 negotiation: 99.23.53.182[500]<=>216.153.170.86[500]_
2013 Mar 25 13:57:26 [FVS338] [IKE] Configuration found for 216.153.170.86[500]._
2013 Mar 25 13:57:23 [FVS338] [IKE] Setting DPD Vendor ID_
2013 Mar 25 13:57:23 [FVS338] [IKE] Beginning Identity Protection mode._
2013 Mar 25 13:57:23 [FVS338] [IKE] Initiating new phase 1 negotiation: 99.23.53.182[500]<=>216.153.170.86[500]_
2013 Mar 25 13:57:23 [FVS338] [IKE] Configuration found for 216.153.170.86._
2013 Mar 25 13:57:23 [FVS338] [IKE] Using IPsec SA configuration: 10.1.0.0/16<->192.168.0.0/24_

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of Sanga CollinsSanga Collins🇺🇸

I can not say I have experience with your specific devices, but from setting up many VPNs over the years, I think you may have a problem with routing.

Since the VPN link is showing status up, what are the results if you run a traceroute from your side of the network to an IP address on the other side of the VPN?

If the traceroute goes out to the internet then we know that route statements are missing or incorrect.
Avatar of ChrisHelveyChrisHelvey

ASKER

Packets drop at my side of the router. The route should automatically be built when phase 2 comes up, but there is no route in the table. Manually putting the route in the table will not work though. There is something wrong with the VPN even though it says "up."

Thanks for your comment.
Avatar of ChrisHelveyChrisHelvey

ASKER

Just for clarification. This is the routing table on the UTM5 side:
The route for 10.240.1.0/24 is a manual route to send those packets to a different router - not related.



WAN1       216.153.170.1       255.255.255.255       0.0.0.0       0
defaultVlan       192.168.0.0       255.255.255.0       0.0.0.0       0
defaultVlan       10.240.1.0       255.255.255.0       192.168.0.3       10
WAN1       216.153.170.0       255.255.255.0       0.0.0.0       0
defaultVlan       38.97.0.0       255.255.0.0               192.168.0.3       10
WAN1                  default       0.0.0.0                       216.153.170.1       0
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of Sanga CollinsSanga Collins🇺🇸

On te UTM5 side, there should be a route to send traffic to the vpn tunnel.

VPN   10.1.0.1    255.255.0.0   0.0.0.0   0
Avatar of ChrisHelveyChrisHelvey

ASKER

Yes, there should be indeed.
Avatar of Sanga CollinsSanga Collins🇺🇸

You may want to check on the opposite side as well. If there is no route pointing back to the UTM5, the traffic will not return to your main office.
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of ChrisHelveyChrisHelvey

ASKER

None there either - that's the problem, they should automatically be built.
Avatar of Sanga CollinsSanga Collins🇺🇸

I cant say specifically for Netgear UTM5 routers, but from what I can remember, when using the VPN wizard it should prompt you for Local IP address and remote LAN ip address. did this not happen when creating your Tunnel?

If you manually add the routes does the VPN work as expected? I'll check on some netgear forums to better understand how the VPN setup works so I can give you more precise answers.
ASKER CERTIFIED SOLUTION
Avatar of ChrisHelveyChrisHelvey

ASKER

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Routers

Routers

--

Questions

--

Followers

Top Experts

A router is a networking device that forwards data packets between computer networks. Routers perform the "traffic directing" functions on the Internet. The most familiar type of routers are home and small office cable or DSL routers that simply pass data, such as web pages, email, IM, and videos between computers and the Internet. More sophisticated routers, such as enterprise routers, connect large business or ISP networks up to the powerful core routers that forward data at high speed along the optical fiber lines of the Internet backbone. Though routers are typically dedicated hardware devices, use of software-based routers has grown increasingly common.