12-20-2011 02:59 AM
HI all,
first of all I have to appologize for my terrible english, Iam not a native speaker.
As you can see i have problems with connecting 2 SRP521W together for an VPN tunnel.
I tried as much as I can but now i dont know what to do or how and where is the mistake?
the connection between these two devices was there last week, after weekend (nothing changed in configs) the connection suddenly was interrupted, without any reason or warning. another day it worked again and 20 mins later connection was dead again...and now it wont establish at all..
please help me.
here are some screenshots from the vpnconfigs of my devices. one has a static IP the otherone uses FQDN.
These are the IKE policies:
Here the IPsec Policies:
and the GRE policies:
I would be very gratefull if somebody can solve my problem.
with best greetings
Felix
12-20-2011 03:58 AM
Hi Felix,
I'll take a look at this in my lab - someone else has reported that their VPN is not reconnecting automatically .
In your case, I don't believe that the GRE tunnel adds anything, as it would run beside the VPN tunnel (rather than the VPN tunnel over it). Have you tried disabling the GRE tunnel?
Regards,
Andy
12-20-2011 05:29 AM
One more question - is it possible that the site with the dynamic IP had its address changed at the time of the failure?
If it is working now, please make a note of the IP address for that site, then compare if the tunnel drops again.
Many thanks,
Andy
12-21-2011 12:37 AM
Hello Andy,
thank you for your fast reply.
This is a good question. I checked it but the IPs are matching.
i also tried to disable GRE as you said, but it doesnt work.
and disabling IPsec VPN and reenabling it doesnt work neither.
Iam wondering why the connection doesent establish...
do i need any port forwardings? or some forwardings that have not to be in there?
greetings
Felix
12-21-2011 03:05 AM
Hi Felix,
No you should not need any port forward settings (nor GRE) to establish a VPN connection.
If you reboot both devices, does the tunnel reestablish?
I assume that both devices are assigned public, routable, IP addresses from the respective service providers and that there is no form of network address translation being carried out anywhere between the two devices. Is that the case?
Have you checked that you can resolve the router host names using a PC (or the SRP diagnostics)?
Are you using DDNS? If so, have you checked that the registrations are up to date and correct?
Regards,
Andy
12-21-2011 04:08 AM
Hi Andy,
the tunnel does not reestablish after reboot. It doesnt establish even if I try to connect them manual.
I have a portforwarding on port 1723(TCP) to the server behind the router and a forwarding on port 500(UDP) to one PC..this doesnt matter to my issue i hope?
Im quite not sure if i get your question right..
One of the routers has a static IP, never changing. The other one has a dynamic IPaddress and Iam using DynDNS for it. The DDNS is correct and up to date. I dont know if there is any network address translation between the two devices, how can I figure it out? I know that in front of each device is a modem, but the routers dial in, if this is helping. and both devices are pingable with IP and with the DDNS.
Did i get all your questions right?
Regards
Felix
12-21-2011 04:16 AM
Hi Felix,
Port 500 UDP is ISAKMP, which the SRP will require to establish the IPSec tunnel. Can you try removing that rule and see if the link comes up?
Are you using VPN on the local PC? i.e. do you need to provide remote VPN access to that device, or is it connecting outbound to another VPN server? If connecting outbound, then you shouldn't need that port forwarding rule - just enable IPSec passthrough.
Andy
12-21-2011 06:28 AM
Hi Andy,
ok i removed this rule but the tunnel doesnt establish anyway.
yes Iam using VPN on the local pc, but this VPNconnection is forwarded to the server(my local pc is not in the network of one of these routers). The routers should just open a tunnel to connect the two locations. The server is set as RAS-Server for connections from the outside.i.e. my connection to the network.
IPSec passthrough as well as pptp and l2tp are enabled.
It looks like this:
Felix
12-21-2011 09:24 AM
Hi Felix,
When you see that the tunnel is disconnected, is this just the indication on the web interface status page, or is it not possible to to send traffic across the tunnel at all?
When recreating this configuration in my lab, I realised that I overlooked the fact that you had DPD configured in the IKE policy. With a timeout value of 0 that you have configured, the peer router will never have a chance to respond to keepalive messages, so the tunnel will never fully establish - at least not until there is traffic routed over the tunnel.
Try reconfiguring DPD for an interval of 30 seconds and a timeout of 120 seconds. This essentially means that the routers will send keep alives to each other twice every minute. Only in the event that the fourth successive keepalive response is missed, will the tunnel be torn down.
While disconnected, the SRP will attempt an Aggresive mode reconnection every 30 seconds until the tunnel can be reconnected.
Let me know if this makes any difference.
(BTW- You're right, the NAT forwarding rule doesn't conflict with your configuration.)
Regards,
Andy
12-27-2011 01:11 AM
Hi Andy,
hope you had a marry x-mas;)
Sorry for my late answer, I was on vacation the last few days.
So i tried setting the DPD as you said but it doesnt work anyway.
And it is not possible to send traffic through the tunnel at all. Seems like the Web status page is right.
We are setting the other device now to FQDN, too. Because our service provider is changing. So it will lasts some days, maybe weeks until I get access to the devices again.
I would like to thank you for trying helping me so far
Iam going to post here again when the changes took place.
Regards Felix
07-06-2012 12:13 AM
Hi,
I figured out a solution for me. There is a "new" Firmwareupdate, which changelogs says: if you edit any setting concerning VPN you have to complete deactivate vpn and reactivate. then it should work. It worked for me this way.
Greetings
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide