No traffic over IPSEC VPN (Cisco RV042, Netgear FVS318)
Posted on 2014-07-12
I've been having this vexing problem for months. So far, I've tried everything, and things have only gotten worse. But why?
- Basically, I can establish an IPSEC VPN tunnel, but no traffic flows through. Sounds familiar?
Here are my parameters:
- I have two sites, one with cable internet (Comcast), the other with DSL (AT&T U-Verse).
- I've experimented with two types of routers - Cisco RV042, and Netgear FVS318N. For both types, I've gone through several firmware upgrades. The symptoms have always been consistently THE SAME.
- The VPN tunnels are properly configured. I would think so, since when they "work", they work for days, weeks at a time. As I said, the connection used to be even more stable, and it got worse since we switched to U-Verse. Before, we had a crappy DSL connection (bad wiring, fixed when we switched to U-Verse), but it seemed more stable.
- When the VPN "god" is in a good mood, it doesn't matter what I do, it just works. I can reboot the router (not modem) as many times as I want - it will reconnect like a charm. (With either router, as they are interchangeable at this point).
- When in a bad mood, it won't route traffic (although connected), no matter how many times I reboot, and how long I take the router down (power down).
- It doesn't matter whether in the process I just reboot the router, or I reconfigure the VPN (different encryption, or any other parameter). It doesn't matter whether I disable the policies and re-enable them.
- While this is happening, I can generally connect using a software VPN client. Right now, I'm using VPN Tracker on my Mac, and it connects every time.
- The only thing that apparently "fixes" it is turning off the AT&T DSL modem for 10 minutes or longer. It's unclear whether this must be followed by a router reboot - not enough testing to be definitive. Just rebooting the AT&T modem through the software or manually followed by a power down of less than 5 minutes will NEVER fix the connection - just the 10 minutes or longer apparently consistently does so. Once fixed, the VPN will stay up for days, but lately, much shorter intervals. Last I rebooted, it went down after less than 10 hours.
- It used to be that it appeared how a disruption in the AT&T modem internet connection (I would see the red light) would trigger an "event", but I replaced the modem yesterday (now an Arris, previously Motorola), and it doesn't appear that the internet went down when the VPN did last night (yes, I have a monitoring tool - PRTG Monitor).
So, it looks like I'm stuck... I'm adding a snippet of the VPN log, but I don't personally see anything there. Any ideas? Could AT&T be blocking the traffic somehow?
Sat Jul 12 18:30:28 2014 (GMT +0000): [FVS318N] [IKE] INFO: Sending Informational Exchange: notify payload
Sat Jul 12 18:30:23 2014 (GMT +0000): [FVS318N] [IKE] INFO: Sending Informational Exchange: notify payload
Sat Jul 12 18:30:23 2014 (GMT +0000): [FVS318N] [IKE] INFO: Purged IPsec-SA with proto_id=ESP and spi=267626774(0xff3a916).
Sat Jul 12 18:30:23 2014 (GMT +0000): [FVS318N] [IKE] INFO: Purged IPsec-SA with proto_id=ESP and spi=4020218(0x3d57fa).
Sat Jul 12 18:30:23 2014 (GMT +0000): [FVS318N] [IKE] INFO: an undead schedule has been deleted: 'pk_recvupdate'.
Sat Jul 12 18:30:22 2014 (GMT +0000): [FVS318N] [IKE] INFO: IPsec-SA established: ESP/Tunnel 126.96.36.199->188.8.131.52 with spi=194129535(0xb922e7f)
Sat Jul 12 18:30:22 2014 (GMT +0000): [FVS318N] [IKE] INFO: IPsec-SA established: ESP/Tunnel 184.108.40.206->220.127.116.11 with spi=172509254(0xa484846)
Sat Jul 12 18:30:22 2014 (GMT +0000): [FVS318N] [IKE] INFO: Using IPsec SA configuration: 192.168.168.0/24<->192.168.169.0/24
Sat Jul 12 18:30:22 2014 (GMT +0000): [FVS318N] [IKE] INFO: Responding to new phase 2 negotiation: 18.104.22.168<=>22.214.171.124