cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
0
Helpful
11
Replies

RV016 site-to-site with Netgear FVS318N Not Connecting

Samir Darji
Contributor
Contributor

I'm completely dumbfounded on this.  Everything is set the same as an existing Netgear unit (FVS124G) that the FVS318N is replacing.  Every option is completely identical.  It connects fine to other endpoints that are Netgear, but not the rv016s.  And the existing Netgear connects fine.

Any ideas?

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com       

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
1 Accepted Solution

Accepted Solutions

Samir,

Aggressive Mode sometimes is the key to connecting a stubborn tunnel.

- Marty

View solution in original post

11 Replies 11

mpyhala
Rising star
Rising star

Samir,

In some cases it is better to configure the Cisco router first, then match the settings on the third party router. Use the default settings on the RV016 and match the settings on the Netgear. If the tunnel comes up, then try adjusting the settings and see if it breaks. You may be limited to certain settings when using different brands of routers. I had a similar issue connecting a WRV210 to a Netgear router and I was able to get it working after playing with the settings. We see this most often when connecting to Cisco Enterprise devices, Sonicwall, Fortigate, etc.

- Marty

Thank you for the quick reply.

Unfortunately, I can't play too much with the rv016 as it's in use.  The current configuration works fine when connected to a Netgear FVS124G and FVS114.  And even after copying those settings perfectly to the FVS318N, it stops after phase 1:

http://forum1.netgear.com/showthread.php?t=89377

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Samir,

From what you posted at the Netgear forum it looks like you have tried just about everything short of changing the encryption type.

I had a tunnel between an RV220W and WRV210 a few years ago. An early firmware update on the RV220W broke the tunnel. After much experimenting I found that I was able to get the tunnel up and stable ONLY using AES-192/MD5.

The next firmware release for the RV220W resolved the problem and I was able to use whatever settings I wanted again.

I would definitely try different encryption/authentication and see if you can find a magic combination.

- Marty

From what I remember, I spent a good bit of time trying various different encryption since I knew that had been an issue in the past.  It would still time out at the first phase.  Now, I didn't try changing from main to aggressive mode, but I don't think this would help, would it?

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Samir,

Aggressive Mode sometimes is the key to connecting a stubborn tunnel.

- Marty

But isn't aggressive ignoring something in the first phase?  I forget the exact differences between main and aggressive.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Samir,

Aggressive is not as secure but in some cases is the only way to get the tunnel to work with certain mixtures of hardware.

Here is a pretty good description of the differences:

http://rayas-security.blogspot.com/2013/06/ipsec-vpn-main-mode-vs-aggressive-mode.html

- Marty

Thank you for the link.  After reading that link, I think agressive mode may be the key to making it work since it doesn't have as much going on in the first phase.  I'll have to try it once I can find the time to test everything again.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Dan Miley
Participant
Participant

When you test again, turn on logging on both ends, and upload.  I didn't see the actual log messages on the netgear post. 

You siad there were some messages about

<>

also download and reflash both devices with the latest firmware.

manual config of the tunnel using the wizard on one end then match the settings.

you can also try a lower encryption type 3des or des instead of AES, group 1 instead of gp5 for example.

Dan

I'm not turning on logging as that causes problems on its own.  I'll check the logs for clues, but a lot of times the logs are useless on both routers.

There's no way I'm reflashing anything on either one.  The firmwares are completely bug ridden and I need stability, which is what I'm getting with both right now.  If there's a bug that prevents them from connecting, then that's just a fundamental firmware issue I'm going to have to deal with--at least on the Cisco side.  I might mess with firmwares on the netgear, but not without knowing it will definitely solve the issue since a firmware update is always a chance to render a device useless.

Changing the encryption and trying agressive mode are the two things I'll be trying.  I'll update this thread with my results. 

At this point, the immediate window for getting this to work has long passed, but if the setup will work, a deployment schedule can be arranged for the future.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

Samir Darji
Contributor
Contributor

As an update to this issue (and for a reference for me), the solution was to change main mode to aggressive mode on both routers.  Tunnel came right up and has been up ever since.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers