Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 39 subscribers
  • Views 12196 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN connection to Netgear Prosafe VPN FVS114 - connects but stops pinging after a few seconds

Jake

I am trying to replace my Watchguard XTM505 VPN Firewall with an XG125

I have updated firmware etc. (SFOS 16.05.7 MR-7)

The branch office device is a Netgear Prosafe VPN FVS114

I have had a VPN setup between the Watchguard and the NEtgear for years.

I can hook the Watchguard back up and the VPN fires up no issues.

I am trying to leave the branch office settings alone for now

I have followed the online help and support articles to my best ability

  mainly How to setup S2S IPSEC VPN and Troubleshooting VPN Tunnel articles

 

I can activate and connect the VPN

I can ping a PC on the branch office for around 10 pings +/- if I ping right away.

After that pings time out

 

The Sophos Log

The Branch Office Log

The Phase 1 setting on Branch Office

Phase 2 Branch Office settings

Sophos screen shots

Thank-you in advance



This thread was automatically locked due to age.
  • 0

    Hi Jake,


    did you check the PFS / DH Settings ?


    On Sophos i can see

    Phase1: 2 / Phase2: None


    On the netgear:

    Phase 1: can not see the image / Phase2: 1


    Max

  • 0 in reply to mxull

    Hi Max,

     

    On the Netgear you have to check the box to the left to have the PFS in play

    The PFS Key Group "Group 1 (768 Bit)" is the setting that would be in play if the box were checked

    I checked my settings on the working Watchguard box.

    The PFS checkbox is not checked there.

     

    I appreciate the suggestion though.

     

    To see the images you have to save the pictures to your PC and open them with a viewer.

    The images are very clear before I upload them

    I must not be doing something right with the blog software for inserting pictures

    Although have trouble seeing pictures in other user posts too.

  • 0 in reply to Jake

    I was wrong about saving pictures for better view

    Don't know why the .png files get so poor when uploading

     

    Try these jpg versions

    SOPHOS LOG

    NETGEAR PHASE 1

    NETGEAR PHASE 2

  • 0 in reply to Jake

    Now we can see the images. Key Life time is wrong or not ?

     

    Sophos Phase 1: 28800 / Phase2: 3600

    Netgear Phase 1: 86400 / Phase2: 28800

     

    Max

  • 0 in reply to mxull

    I played around with the key life time with no success but I will try again and make sure they match

    I can only fire up the Sophos after 5 and on weekend

     

    My "guess" at what the key life means is:

    the key life time was just when a rekey would occur and that they don't have to match

    When the key life ended on either end a rekey would occur

     

    Can you help me better understand the use of the key life for phase 1 and phase 2?

  • 0 in reply to Jake

    Thanks Max,

     

     Changing the key life to match on the phase 2 did the trick

    I can now ping non stop

    The key life did not have to be the same for phase 1 but I will make them the same to avoid any goofy stuff that might crop up later.

     

    My guess, based on the entries in the 2 logs, is the handshake for phase 2 requires that the key lives match

     

    Thanks again

Unfiltered HTML