DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
I've got a Netgear FVS318 in two locations we shall call them Location A and Location B
Location A has got a static IP and Location B has not.
The router at Location A is configured as the VPN gateway and the router at Location B is setup to be a client.
The problem is the VPN just seems to randomly drop and then it wont come back to life unless something at Location A tries to communicate with something a Location B but the whole point of this setup is to allow Location A to see Location B (not visa-versa).. I dont have the option to have a static IP or use dynamic DNS at Location B.
Does anyone know how I can keep this bloody VPN open without the use of a PC that is pinging Location A all the time (as there will be no PC's at Location B)
[Edited on 13-10-2010 by DaveyLC]
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
What does it connect into at either end? A server, firewall or switch?
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
The Routers are VPN routers. they connect to them selves.
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
I understand that but the VPN routers will have interfaces so that devices can utilise them? Surely you just dont have a VPN tunnel sat there doing feck all.
Only reason I say this is because if the router's internal interface on either end connects directly to a server or windows device, then make sure you turn off Power Management on the NIC interfaces.
The other thing you can do is use the VPN policy on the fvs318..... use the IKE policy config to keep the connection alive.
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
There is a CCTV DVR at the other end and a WIFI AP.
The VPN settings are pretty limited There is an IKE Lifetime setting.
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
P.S. its an FVS318v1
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
http://www.vpnc.org/InteropProfiles/FVS318-profile.pdf
That should help you set it up, set the SA time to 64800 (18 hours)
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Cheers Richie but thats a v3 though
I've got "Key Life" (currently 8 hours) and "IKE Lifetime" (currently 24 hours).
[Edited on 13-10-2010 by DaveyLC]
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
I've just seen the v1 instructions as well, somewhat shitter!
I take it the local and remote identifiers are set to the WAN IP of each router? I guess you would have a difficult time doing this if you don't have a static IP on site B?
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
I'm not even sure what the remote/local IP Sec Identifiers are for, they can be anything not just an IP, I've got them setup as names of the locations.. The remote IP is further down.
The VPN works perfectly, even NETBIOS is working over the link but it keeps dropping off and wont reconnect until I try and access something on Location A from Location B
I dont think the later firmware is compatible either
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Hmm I might try bumping those timeouts up to 48 hours.
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
That would suggest that the keep alive isnt working properly then.
The local and remote IPsec fields are supposed to be the external addresses of each router to perform the keep alive.
You are also supposed to configure both of them to respond to ping over the wan port as part of the keep alive setup
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
The Local/Remote IPSec Identifier is just an identifier according to the crappy manual.
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
Copied all this from the Netgear site - would have linked you to the page but it contains all the crap about the v3 as well
Same principles apply but the guide applied for connecting different versions Ie the v1 to v3, so all may not be applicable.
Setting up the FVS318v1 or v2
On the FVS318v1/v2, click on VPN Settings on the left menu panel.
Select one of the unused slots and click Edit. The VPN Settings page will display.
a) For Connection Name, enter a descriptive name.
b) For Local IPSec Identifier, enter the WAN IP address of the FVS318v1/v2.
c) For Remote IPSec Identifier, enter the WAN IP address of the FVS318v3.
d) Select a subnet of local address for Tunnel can be accessed from. Enter the FVS318v1/v2’s LAN IP subnet and subnet mask for Local LAN start IP Address and Local LAN IP Subnetmask.
e) Select a subnet of remote address for Tunnel can access. Enter the FVS318v3’s LAN IP subnet and subnet mask for Remote LAN start IP Address and Remote LAN IP Subnetmask.
f) Enter the FVS318v3’s WAN IP address for Remote WAN IP or FQDN.
g) Select Main Mode for Secure Association.
h) Select Enabled for Perfect Forward Secrecy.
i) Select 3DES for Encryption Protocol.
j) Enter the same pre-shared key used when setting up the FVS318v3 for PreShared Key.
Leave 28800 Seconds as Key Life.
Leave 86400 Seconds as IKE Life Time.
k) Click the box for NETBIOS Enable.
l) Click Apply.
Testing the VPN
To test the VPN, from a system behind the FVS318v3, ping a system behind the FVS318v1/v2. Ping is a diagnostics tool for checking network connectivity available on Microsoft Windows systems and other operating systems. On Microsoft Windows systems, open the command prompt and type “ping <ip address>”. In our example, type “ping 192.168.3.1”. If the VPN tunnel is up, ping should receive replies. The first few ICMP may drop since it may take a few packets to establish the VPN tunnel. However, once the VPN tunnel is established, ping should receive replies consistently.
You can also check VPN status in the VPN status window.
(Note that the FVS318's VPN status does not change to 'active' until traffic has actually been sent across the VPN connection.)
From the FVS318v3, click on VPN Status on the left menu panel. The VPN Status/Log page will display. Click on the VPN Status button to show the VPN status window. The IPSec Connection Status window should show the VPN policy to be established on both Phrase 1 and Phrase 2.
From the FVS318v1/v2, click on Router Status on the left menu panel. On the Router Status page, click on the Show VPN Status button. The Router VPN Status window will display. The VPN Policy should show the VPN Policy to be established on both Phrase 1 (P1) and Phrase 2 (P2).
Troubleshooting
1) If VPN is not established, first make sure you have general network connectivity between the routers. Enable both routers to response to ping on Internet WAN port (FVS318v3 in the Rules menu, FVS318v1/v2 in the Ports menu), make sure you can ping the WAN IP address of the FVS318v3 from the FVS318v1 and vise versa. If the router has dynamic IP, make sure the IP being specified in the VPN policy is the same IP currently assigned to the route’s WAN Interface (from the Router Status menu). If you are using FQDN in the VPN policy, make sure the FQDN does resolve to the correct IP address.
Double check VPN settings on both routers and make sure they match. Some parameters to check are the pre-shared key (it is case sensitive), remote and local identifier, encryption and authentication algorithms, exchange mode (main or aggressive mode) and if PFS is enabled on one side, it must be enabled on the other side.
2) If VPN is shown established but you cannot access resource over VPN tunnel, first make sure the source you try to access is accessible from the router where the resource is located. Trying pinging the resource from the Diagnostics page of the router where the resource is located. If you are using name, try accessing it by IP address. Make sure the resource doesn’t have firewall software or IP filter installed. If all fails, try disabling PFS on the VPN policies (must be done on both routers).
3) If you cannot ping the FVS318v3’s LAN interface IP from the LAN of the FVS318v1/v2 over VPN, that is normal. Instead use an IP address belongs to a system on the LAN of the FVS318v3 for testing.
4) If you need to contact Netgear Technical Support for assistant, it is always helpful if you can provide the configuration files of the routers. From the Backup Settings menu, you can backup the router’s configuration into a file. When we try to review the configuration file, we will need the same password on the router when the file is created. So make sure the router has a password you can tell us when you back up the configuration. If you have DHCP disabled in the router, you also need to provide us the LAN IP address of the router.
[Edited on 13-10-2010 by Richie]
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Right I've changed my Local/Remote IPSec ID's to the local and remote (internal) router IP's as in the example
VPN has re-activated, will see how long she lasts.
Cheers
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
I spoke to soon, it wont re-connect
VPN Status on Location A was saying "Inactive" but VPN Status on Location B was saying "Active" (Connected).. Stupid bloody thing.
[Edited on 13-10-2010 by DaveyLC]
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
The example used the external facing addresses?
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Sorry thought a 10.1.1.x address would be a local one
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Well Its behaved its self for over an hour..
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Gone again.. fucking piece of shit.
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Bodged it Setup the WIFI AP at Location B to use a Log Server and told it the router at Location A was the log server so its always trying to send it data (even though it will just ignore it) which will keep the connection open.
|
Richie
Member
Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
|
Tidy.
Lesson learned? Don't use Netgear
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Cost me less than £30 for the pair though
|
DaveyLC
Member
Registered: 8th Oct 08
Location: Berkshire
User status: Offline
|
Richie, I dont suppose you've got any idea why I cant forward ports accross the WLAN?
|