corsasport.co.uk
 

Corsa Sport » Message Board » Off Day » Geek Day » Any networking geeks out there? NETGEAR FVS318.


New Topic

New Poll
  Subscribe | Add to Favourites

You are not logged in and may not post or reply to messages. Please log in or create a new account or mail us about fixing an existing one - register@corsasport.co.uk

There are also many more features available when you are logged in such as private messages, buddy list, location services, post search and more.


Author Any networking geeks out there? NETGEAR FVS318.
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 12:41   View User's Profile U2U Member Reply With Quote

I've got a Netgear FVS318 in two locations we shall call them Location A and Location B



Location A has got a static IP and Location B has not.

The router at Location A is configured as the VPN gateway and the router at Location B is setup to be a client.

The problem is the VPN just seems to randomly drop and then it wont come back to life unless something at Location A tries to communicate with something a Location B but the whole point of this setup is to allow Location A to see Location B (not visa-versa).. I dont have the option to have a static IP or use dynamic DNS at Location B.

Does anyone know how I can keep this bloody VPN open without the use of a PC that is pinging Location A all the time (as there will be no PC's at Location B)

[Edited on 13-10-2010 by DaveyLC]
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
13th Oct 10 at 13:03   View User's Profile U2U Member Reply With Quote

What does it connect into at either end? A server, firewall or switch?
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:05   View User's Profile U2U Member Reply With Quote

The Routers are VPN routers. they connect to them selves.
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
13th Oct 10 at 13:16   View User's Profile U2U Member Reply With Quote

I understand that but the VPN routers will have interfaces so that devices can utilise them? Surely you just dont have a VPN tunnel sat there doing feck all.

Only reason I say this is because if the router's internal interface on either end connects directly to a server or windows device, then make sure you turn off Power Management on the NIC interfaces.

The other thing you can do is use the VPN policy on the fvs318..... use the IKE policy config to keep the connection alive.
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:19   View User's Profile U2U Member Reply With Quote

There is a CCTV DVR at the other end and a WIFI AP.

The VPN settings are pretty limited There is an IKE Lifetime setting.
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:22   View User's Profile U2U Member Reply With Quote

P.S. its an FVS318v1
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
13th Oct 10 at 13:24   View User's Profile U2U Member Reply With Quote

http://www.vpnc.org/InteropProfiles/FVS318-profile.pdf

That should help you set it up, set the SA time to 64800 (18 hours)
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:25   View User's Profile U2U Member Reply With Quote

Cheers Richie but thats a v3 though

I've got "Key Life" (currently 8 hours) and "IKE Lifetime" (currently 24 hours).

[Edited on 13-10-2010 by DaveyLC]
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
13th Oct 10 at 13:31   View User's Profile U2U Member Reply With Quote

I've just seen the v1 instructions as well, somewhat shitter!

I take it the local and remote identifiers are set to the WAN IP of each router? I guess you would have a difficult time doing this if you don't have a static IP on site B?
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:33   View User's Profile U2U Member Reply With Quote

I'm not even sure what the remote/local IP Sec Identifiers are for, they can be anything not just an IP, I've got them setup as names of the locations.. The remote IP is further down.

The VPN works perfectly, even NETBIOS is working over the link but it keeps dropping off and wont reconnect until I try and access something on Location A from Location B

I dont think the later firmware is compatible either
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:36   View User's Profile U2U Member Reply With Quote

Hmm I might try bumping those timeouts up to 48 hours.
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
13th Oct 10 at 13:37   View User's Profile U2U Member Reply With Quote

That would suggest that the keep alive isnt working properly then.

The local and remote IPsec fields are supposed to be the external addresses of each router to perform the keep alive.

You are also supposed to configure both of them to respond to ping over the wan port as part of the keep alive setup
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:42   View User's Profile U2U Member Reply With Quote

The Local/Remote IPSec Identifier is just an identifier according to the crappy manual.
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
13th Oct 10 at 13:46   View User's Profile U2U Member Reply With Quote

Copied all this from the Netgear site - would have linked you to the page but it contains all the crap about the v3 as well

Same principles apply but the guide applied for connecting different versions Ie the v1 to v3, so all may not be applicable.


Setting up the FVS318v1 or v2
On the FVS318v1/v2, click on VPN Settings on the left menu panel.




Select one of the unused slots and click Edit. The VPN Settings page will display.



a) For Connection Name, enter a descriptive name.

b) For Local IPSec Identifier, enter the WAN IP address of the FVS318v1/v2.

c) For Remote IPSec Identifier, enter the WAN IP address of the FVS318v3.

d) Select a subnet of local address for Tunnel can be accessed from. Enter the FVS318v1/v2’s LAN IP subnet and subnet mask for Local LAN start IP Address and Local LAN IP Subnetmask.

e) Select a subnet of remote address for Tunnel can access. Enter the FVS318v3’s LAN IP subnet and subnet mask for Remote LAN start IP Address and Remote LAN IP Subnetmask.

f) Enter the FVS318v3’s WAN IP address for Remote WAN IP or FQDN.

g) Select Main Mode for Secure Association.

h) Select Enabled for Perfect Forward Secrecy.

i) Select 3DES for Encryption Protocol.

j) Enter the same pre-shared key used when setting up the FVS318v3 for PreShared Key.

Leave 28800 Seconds as Key Life.

Leave 86400 Seconds as IKE Life Time.

k) Click the box for NETBIOS Enable.

l) Click Apply.

Testing the VPN
To test the VPN, from a system behind the FVS318v3, ping a system behind the FVS318v1/v2. Ping is a diagnostics tool for checking network connectivity available on Microsoft Windows systems and other operating systems. On Microsoft Windows systems, open the command prompt and type “ping <ip address>”. In our example, type “ping 192.168.3.1”. If the VPN tunnel is up, ping should receive replies. The first few ICMP may drop since it may take a few packets to establish the VPN tunnel. However, once the VPN tunnel is established, ping should receive replies consistently.

You can also check VPN status in the VPN status window.

(Note that the FVS318's VPN status does not change to 'active' until traffic has actually been sent across the VPN connection.)

From the FVS318v3, click on VPN Status on the left menu panel. The VPN Status/Log page will display. Click on the VPN Status button to show the VPN status window. The IPSec Connection Status window should show the VPN policy to be established on both Phrase 1 and Phrase 2.



From the FVS318v1/v2, click on Router Status on the left menu panel. On the Router Status page, click on the Show VPN Status button. The Router VPN Status window will display. The VPN Policy should show the VPN Policy to be established on both Phrase 1 (P1) and Phrase 2 (P2).



Troubleshooting
1) If VPN is not established, first make sure you have general network connectivity between the routers. Enable both routers to response to ping on Internet WAN port (FVS318v3 in the Rules menu, FVS318v1/v2 in the Ports menu), make sure you can ping the WAN IP address of the FVS318v3 from the FVS318v1 and vise versa. If the router has dynamic IP, make sure the IP being specified in the VPN policy is the same IP currently assigned to the route’s WAN Interface (from the Router Status menu). If you are using FQDN in the VPN policy, make sure the FQDN does resolve to the correct IP address.

Double check VPN settings on both routers and make sure they match. Some parameters to check are the pre-shared key (it is case sensitive), remote and local identifier, encryption and authentication algorithms, exchange mode (main or aggressive mode) and if PFS is enabled on one side, it must be enabled on the other side.

2) If VPN is shown established but you cannot access resource over VPN tunnel, first make sure the source you try to access is accessible from the router where the resource is located. Trying pinging the resource from the Diagnostics page of the router where the resource is located. If you are using name, try accessing it by IP address. Make sure the resource doesn’t have firewall software or IP filter installed. If all fails, try disabling PFS on the VPN policies (must be done on both routers).

3) If you cannot ping the FVS318v3’s LAN interface IP from the LAN of the FVS318v1/v2 over VPN, that is normal. Instead use an IP address belongs to a system on the LAN of the FVS318v3 for testing.

4) If you need to contact Netgear Technical Support for assistant, it is always helpful if you can provide the configuration files of the routers. From the Backup Settings menu, you can backup the router’s configuration into a file. When we try to review the configuration file, we will need the same password on the router when the file is created. So make sure the router has a password you can tell us when you back up the configuration. If you have DHCP disabled in the router, you also need to provide us the LAN IP address of the router.


[Edited on 13-10-2010 by Richie]
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:53   View User's Profile U2U Member Reply With Quote

Right I've changed my Local/Remote IPSec ID's to the local and remote (internal) router IP's as in the example

VPN has re-activated, will see how long she lasts.

Cheers
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 13:59   View User's Profile U2U Member Reply With Quote

I spoke to soon, it wont re-connect

VPN Status on Location A was saying "Inactive" but VPN Status on Location B was saying "Active" (Connected).. Stupid bloody thing.

[Edited on 13-10-2010 by DaveyLC]
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
13th Oct 10 at 14:14   View User's Profile U2U Member Reply With Quote

The example used the external facing addresses?
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 14:23   View User's Profile U2U Member Reply With Quote

Sorry thought a 10.1.1.x address would be a local one
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 15:29   View User's Profile U2U Member Reply With Quote

Well Its behaved its self for over an hour..
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
13th Oct 10 at 16:03   View User's Profile U2U Member Reply With Quote

Gone again.. fucking piece of shit.
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
14th Oct 10 at 09:23   View User's Profile U2U Member Reply With Quote

Bodged it Setup the WIFI AP at Location B to use a Log Server and told it the router at Location A was the log server so its always trying to send it data (even though it will just ignore it) which will keep the connection open.
Richie
Member

Registered: 3rd Dec 02
Location: Newport, Wales
User status: Offline
14th Oct 10 at 12:06   View User's Profile U2U Member Reply With Quote

Tidy.

Lesson learned? Don't use Netgear
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
14th Oct 10 at 12:38   View User's Profile U2U Member Reply With Quote

Cost me less than £30 for the pair though
DaveyLC
Member

Registered: 8th Oct 08
Location: Berkshire
User status: Offline
18th Oct 10 at 08:31   View User's Profile U2U Member Reply With Quote

Richie, I dont suppose you've got any idea why I cant forward ports accross the WLAN?

 
New Topic

New Poll

  Related Threads Author Forum Replies Views Last Post
Netgear Adsl Router 54mbps DG834G Trucido Parts Offered 7 1292
18th Sep 04 at 17:24
by Trucido
 
Wireless Router WATSON Geek Day 11 779
2nd Mar 07 at 00:41
by WATSON
 
what router? IvIarkgraham Geek Day 10 813
22nd Jan 09 at 22:36
by Andrew
 
Reccomend me a new Wireless Router. gianluigi Geek Day 15 881
30th Jan 09 at 15:18
by pow
 
New wireless router. csweatherston Geek Day 9 582
2nd Aug 09 at 17:19
by James_DT
 

Corsa Sport » Message Board » Off Day » Geek Day » Any networking geeks out there? NETGEAR FVS318. 28 database queries in 0.0237370 seconds