Re: Trouble with Netgear FVS114 establishing VPN

From: Leythos (void_at_nowhere.lan)
Date: 08/19/05 

Date: Fri, 19 Aug 2005 11:54:10 GMT

In article <4305585c$0$16262$bb4e3ad8@newscene.com>,
nothere@notthere.com says...
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d6f1474f56aaeec989c5f@news-server.columbus.rr.com...
> > In article <4305486f$0$16199$bb4e3ad8@newscene.com>,
> > nothere@notthere.com says...
> >> "Beer Guy" <joseph@mylifeisbeer.com> wrote in message
> >> news:1124295868.407966.95230@z14g2000cwz.googlegroups.com...
> >> >I have three Netgear FVS114 FW v1.0 VPN Firewall Routers that I have
> >> > set up at different locations with an Aggressive - Both Directions
> >> > "gateway-to-gateway" IPSEC VPN connection between them. I am using
> >> > fully qualified domain names as IDs for the three gateways.
> >> >
> >> > There are two issues I am experiencing:
> >> >
> >> > 1. When any of the FVS114s are configured with an IKE and VPN policy
> >> > they will run for 30 minutes to an hour (with the tunnel functioning),
> >> > at which point they will lock up so that they will not respond to pings
> >> > from the LAN or the WAN side, will not pass data on the LAN or to the
> >> > WAN, and cannot be logged into via the administration page.
> >> >
> >> > 2. While the VPN tunnel functions on initial configuration of the
> >> > policies, when the FVS114 is rebooted (either by soft reboot from the
> >> > administration page or by pulling the power cord after the FVS114 has
> >> > locked up) the VPN tunnel is not reestablished. If I try to edit the
> >> > IKE policy after a restart I get an error message: "ERROR: no
> >> > matching policy found".
> >> >
> >> > These two problems occur on all three FVS114s.
> >> >
> >> > I realize this might not be the best group to post this question but I
> >> > am getting little help from the Netgear forum and no help as of today
> >> > from Netgear Support.
> >> >
> >>
> >> Netgear, Dlink, Linksys - low end taiwanese networking products - are all
> >> considered pretty pokey for anything more than basic networking
> >> functions.
> >> They tend have issues when you push them to hard, this is especially true
> >> of
> >> VPN products. I've seen some of the specs on Netgear VPN products and
> >> would
> >> not recommend them in any sort of "needs to be working smoothly 99.9% of
> >> the
> >> time" scenario.
> >>
> >> This is the difference between low end products trying to be something
> >> they
> >> aren't, and better quality products with a lot more experience in the
> >> field.
> >>
> >> If you want it to work reliably you need to move to a more professional
> >> product (ie, Sonicwall, Juniper, etc).
> >
> > I have used Linksys BEFVP41 units and Netgear VPN units many times
> > without any problems to make a site-to-site VPN connection for remote
> > users. We even hang one off a spare IP to tunnel into our firewall and
> > then pass 20GB files through it back and forth just to test them - done
> > for weeks at a time - didn't see any issues with using a 4mbps IPsec
> > connection in site-to-site mode during the weeks long testing.
> >
> > If I had my choice I would have purchase a firewall appliance, but it
> > was good to test these very low end units.
> >
>
> Well everytime I've come across them they've fallen over, particularly under
> load or in difficult scenarios were routing and NAT in the way breaks the
> IPSEC tunnels. The showed up particularly badly when connected to a bigger
> appliance such as a Netscreen or Sonicwall - which would usually overwhelm
> the Negear resulting in either a lockup or just plain packetloss. The unit
> specified has a 200Mhz CPU, no VPN accelerator... you can imagine how that
> would handle under load.

I setup our to connect back to a WatchGuard Firebox III or II or X
series as a dedicated VPN appliance. The WatchGuard subnets are always
different than the remote network subnet (internal). So, if I use
192.168.10.x/24 and 192.168.11.x/24 for the WG I would use
192.168.128.0/24 for the first remote VPN end-points network, then 129+
for each additional. Never have the remote LAN with the same subnet as
the local.

We have users doing Domain Logins and passing all their work all day
across them, so there has got to me some other issue on your end. 

-- 
spam999free@rrohio.com
remove 999 in order to email me

Relevant Pages

  • Re: RV042 - Does anyone understand it? Documentation?
    ... Launch a packet destined for a "foreign" private subnet. ... Route such packets at their source to the LAN address of the RV042 VPN ... When the packet is received at the other end of the tunnel, ... i.e. the packet is destined neither for the local nor the remote subnet. ...
    (comp.dcom.vpn)
  • Re: Cant connect using RDP from one spot but can from another
    ... If its the XP SP2 Windows Firewall its possible the firewall is configured to only allow access from its subnet versus from any IP... ... > How to Setup Windows, Network, VPN & Remote Access on> http://www.HowToNetworking.com ...
    (microsoft.public.windowsxp.network_web)
  • Re: RV042 - Does anyone understand it? Documentation?
    ... Can one subnet be a subset of the other subnet? ... If I tracert to a client on the opposite LAN, the trace goes first to the ... I was advised to set up a tunnel that would target the far away subnet (plus ... the RV042 also doesn't like to have the same subnet at the remote end ...
    (comp.dcom.vpn)
  • Re: Cant connect using RDP from one spot but can from another
    ... the windows firewall is disabled. ... other machines on the subnet. ... If its the XP SP2 Windows Firewall its ... How to Setup Windows, Network, VPN & Remote Access on ...
    (microsoft.public.windowsxp.network_web)
  • Re: [fw-wiz] Cisco AnyConnect Remote Access to L2L tunnels
    ... We are using the Cisco AnyConnect Client for our remote user’s access, ... you either have to drop the VPN clients that connect ... new subnet and setup the "interesting traffic" ACL to have your new ... subnet in it on both sides of the tunnel. ...
    (Firewall-Wizards)