1. Home
  2. Networking Firewalls
  3. Trouble with Netgear FVS114 establishing VPN

Trouble with Netgear FVS114 establishing VPN

I have three Netgear FVS114 FW v1.0 VPN Firewall Routers that I have set up at different locations with an Aggressive - Both Directions "gateway-to-gateway" IPSEC VPN connection between them. I am using fully qualified domain names as IDs for the three gateways.

There are two issues I am experiencing:

  1. When any of the FVS114s are configured with an IKE and VPN policy they will run for 30 minutes to an hour (with the tunnel functioning), at which point they will lock up so that they will not respond to pings from the LAN or the WAN side, will not pass data on the LAN or to the WAN, and cannot be logged into via the administration page.

  1. While the VPN tunnel functions on initial configuration of the policies, when the FVS114 is rebooted (either by soft reboot from the administration page or by pulling the power cord after the FVS114 has locked up) the VPN tunnel is not reestablished. If I try to edit the IKE policy after a restart I get an error message: "ERROR: no matching policy found".

These two problems occur on all three FVS114s.

I realize this might not be the best group to post this question but I am getting little help from the Netgear forum and no help as of today from Netgear Support.

Reply to
Beer Guy
Loading thread data ...

Netgear, Dlink, Linksys - low end taiwanese networking products - are all considered pretty pokey for anything more than basic networking functions. They tend have issues when you push them to hard, this is especially true of VPN products. I've seen some of the specs on Netgear VPN products and would not recommend them in any sort of "needs to be working smoothly 99.9% of the time" scenario.

This is the difference between low end products trying to be something they aren't, and better quality products with a lot more experience in the field.

If you want it to work reliably you need to move to a more professional product (ie, Sonicwall, Juniper, etc).

Reply to
Mark

Well everytime I've come across them they've fallen over, particularly under load or in difficult scenarios were routing and NAT in the way breaks the IPSEC tunnels. The showed up particularly badly when connected to a bigger appliance such as a Netscreen or Sonicwall - which would usually overwhelm the Negear resulting in either a lockup or just plain packetloss. The unit specified has a 200Mhz CPU, no VPN accelerator... you can imagine how that would handle under load.

Reply to
Mark

I have used Linksys BEFVP41 units and Netgear VPN units many times without any problems to make a site-to-site VPN connection for remote users. We even hang one off a spare IP to tunnel into our firewall and then pass 20GB files through it back and forth just to test them - done for weeks at a time - didn't see any issues with using a 4mbps IPsec connection in site-to-site mode during the weeks long testing.

If I had my choice I would have purchase a firewall appliance, but it was good to test these very low end units.

Reply to
Leythos

I setup our to connect back to a WatchGuard Firebox III or II or X series as a dedicated VPN appliance. The WatchGuard subnets are always different than the remote network subnet (internal). So, if I use

192.168.10.x/24 and 192.168.11.x/24 for the WG I would use 192.168.128.0/24 for the first remote VPN end-points network, then 129+ for each additional. Never have the remote LAN with the same subnet as the local.

We have users doing Domain Logins and passing all their work all day across them, so there has got to me some other issue on your end.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.