Trouble with Netgear FVS114 establishing VPN

[Guest]

Archived from groups: comp.security.firewalls (More info?)

I have three Netgear FVS114 FW v1.0 VPN Firewall Routers that I have
set up at different locations with an Aggressive - Both Directions
"gateway-to-gateway" IPSEC VPN connection between them. I am using
fully qualified domain names as IDs for the three gateways.

There are two issues I am experiencing:

1. When any of the FVS114s are configured with an IKE and VPN policy
they will run for 30 minutes to an hour (with the tunnel functioning),
at which point they will lock up so that they will not respond to pings
from the LAN or the WAN side, will not pass data on the LAN or to the
WAN, and cannot be logged into via the administration page.

2. While the VPN tunnel functions on initial configuration of the
policies, when the FVS114 is rebooted (either by soft reboot from the
administration page or by pulling the power cord after the FVS114 has
locked up) the VPN tunnel is not reestablished. If I try to edit the
IKE policy after a restart I get an error message: "ERROR: no
matching policy found".

These two problems occur on all three FVS114s.

I realize this might not be the best group to post this question but I
am getting little help from the Netgear forum and no help as of today
from Netgear Support.

 

[mark]

Archived from groups: comp.security.firewalls (More info?)

"Beer Guy" <joseph@mylifeisbeer.com> wrote in message
news:1124295868.407966.95230@z14g2000cwz.googlegroups.com...
>I have three Netgear FVS114 FW v1.0 VPN Firewall Routers that I have
> set up at different locations with an Aggressive - Both Directions
> "gateway-to-gateway" IPSEC VPN connection between them. I am using
> fully qualified domain names as IDs for the three gateways.
>
> There are two issues I am experiencing:
>
> 1. When any of the FVS114s are configured with an IKE and VPN policy
> they will run for 30 minutes to an hour (with the tunnel functioning),
> at which point they will lock up so that they will not respond to pings
> from the LAN or the WAN side, will not pass data on the LAN or to the
> WAN, and cannot be logged into via the administration page.
>
> 2. While the VPN tunnel functions on initial configuration of the
> policies, when the FVS114 is rebooted (either by soft reboot from the
> administration page or by pulling the power cord after the FVS114 has
> locked up) the VPN tunnel is not reestablished. If I try to edit the
> IKE policy after a restart I get an error message: "ERROR: no
> matching policy found".
>
> These two problems occur on all three FVS114s.
>
> I realize this might not be the best group to post this question but I
> am getting little help from the Netgear forum and no help as of today
> from Netgear Support.
>

Netgear, Dlink, Linksys - low end taiwanese networking products - are all
considered pretty pokey for anything more than basic networking functions.
They tend have issues when you push them to hard, this is especially true of
VPN products. I've seen some of the specs on Netgear VPN products and would
not recommend them in any sort of "needs to be working smoothly 99.9% of the
time" scenario.

This is the difference between low end products trying to be something they
aren't, and better quality products with a lot more experience in the field.

If you want it to work reliably you need to move to a more professional
product (ie, Sonicwall, Juniper, etc).

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <4305486f$0$16199$bb4e3ad8@newscene.com>,
nothere@notthere.com says...
> "Beer Guy" <joseph@mylifeisbeer.com> wrote in message
> news:1124295868.407966.95230@z14g2000cwz.googlegroups.com...
> >I have three Netgear FVS114 FW v1.0 VPN Firewall Routers that I have
> > set up at different locations with an Aggressive - Both Directions
> > "gateway-to-gateway" IPSEC VPN connection between them. I am using
> > fully qualified domain names as IDs for the three gateways.
> >
> > There are two issues I am experiencing:
> >
> > 1. When any of the FVS114s are configured with an IKE and VPN policy
> > they will run for 30 minutes to an hour (with the tunnel functioning),
> > at which point they will lock up so that they will not respond to pings
> > from the LAN or the WAN side, will not pass data on the LAN or to the
> > WAN, and cannot be logged into via the administration page.
> >
> > 2. While the VPN tunnel functions on initial configuration of the
> > policies, when the FVS114 is rebooted (either by soft reboot from the
> > administration page or by pulling the power cord after the FVS114 has
> > locked up) the VPN tunnel is not reestablished. If I try to edit the
> > IKE policy after a restart I get an error message: "ERROR: no
> > matching policy found".
> >
> > These two problems occur on all three FVS114s.
> >
> > I realize this might not be the best group to post this question but I
> > am getting little help from the Netgear forum and no help as of today
> > from Netgear Support.
> >
>
> Netgear, Dlink, Linksys - low end taiwanese networking products - are all
> considered pretty pokey for anything more than basic networking functions.
> They tend have issues when you push them to hard, this is especially true of
> VPN products. I've seen some of the specs on Netgear VPN products and would
> not recommend them in any sort of "needs to be working smoothly 99.9% of the
> time" scenario.
>
> This is the difference between low end products trying to be something they
> aren't, and better quality products with a lot more experience in the field.
>
> If you want it to work reliably you need to move to a more professional
> product (ie, Sonicwall, Juniper, etc).

I have used Linksys BEFVP41 units and Netgear VPN units many times
without any problems to make a site-to-site VPN connection for remote
users. We even hang one off a spare IP to tunnel into our firewall and
then pass 20GB files through it back and forth just to test them - done
for weeks at a time - didn't see any issues with using a 4mbps IPsec
connection in site-to-site mode during the weeks long testing.

If I had my choice I would have purchase a firewall appliance, but it
was good to test these very low end units.


--

spam999free@rrohio.com
remove 999 in order to email me

 

[mark]

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d6f1474f56aaeec989c5f@news-server.columbus.rr.com...
> In article <4305486f$0$16199$bb4e3ad8@newscene.com>,
> nothere@notthere.com says...
>> "Beer Guy" <joseph@mylifeisbeer.com> wrote in message
>> news:1124295868.407966.95230@z14g2000cwz.googlegroups.com...
>> >I have three Netgear FVS114 FW v1.0 VPN Firewall Routers that I have
>> > set up at different locations with an Aggressive - Both Directions
>> > "gateway-to-gateway" IPSEC VPN connection between them. I am using
>> > fully qualified domain names as IDs for the three gateways.
>> >
>> > There are two issues I am experiencing:
>> >
>> > 1. When any of the FVS114s are configured with an IKE and VPN policy
>> > they will run for 30 minutes to an hour (with the tunnel functioning),
>> > at which point they will lock up so that they will not respond to pings
>> > from the LAN or the WAN side, will not pass data on the LAN or to the
>> > WAN, and cannot be logged into via the administration page.
>> >
>> > 2. While the VPN tunnel functions on initial configuration of the
>> > policies, when the FVS114 is rebooted (either by soft reboot from the
>> > administration page or by pulling the power cord after the FVS114 has
>> > locked up) the VPN tunnel is not reestablished. If I try to edit the
>> > IKE policy after a restart I get an error message: "ERROR: no
>> > matching policy found".
>> >
>> > These two problems occur on all three FVS114s.
>> >
>> > I realize this might not be the best group to post this question but I
>> > am getting little help from the Netgear forum and no help as of today
>> > from Netgear Support.
>> >
>>
>> Netgear, Dlink, Linksys - low end taiwanese networking products - are all
>> considered pretty pokey for anything more than basic networking
>> functions.
>> They tend have issues when you push them to hard, this is especially true
>> of
>> VPN products. I've seen some of the specs on Netgear VPN products and
>> would
>> not recommend them in any sort of "needs to be working smoothly 99.9% of
>> the
>> time" scenario.
>>
>> This is the difference between low end products trying to be something
>> they
>> aren't, and better quality products with a lot more experience in the
>> field.
>>
>> If you want it to work reliably you need to move to a more professional
>> product (ie, Sonicwall, Juniper, etc).
>
> I have used Linksys BEFVP41 units and Netgear VPN units many times
> without any problems to make a site-to-site VPN connection for remote
> users. We even hang one off a spare IP to tunnel into our firewall and
> then pass 20GB files through it back and forth just to test them - done
> for weeks at a time - didn't see any issues with using a 4mbps IPsec
> connection in site-to-site mode during the weeks long testing.
>
> If I had my choice I would have purchase a firewall appliance, but it
> was good to test these very low end units.
>
>
> --
>
> spam999free@rrohio.com
> remove 999 in order to email me

Well everytime I've come across them they've fallen over, particularly under
load or in difficult scenarios were routing and NAT in the way breaks the
IPSEC tunnels. The showed up particularly badly when connected to a bigger
appliance such as a Netscreen or Sonicwall - which would usually overwhelm
the Negear resulting in either a lockup or just plain packetloss. The unit
specified has a 200Mhz CPU, no VPN accelerator... you can imagine how that
would handle under load.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <4305585c$0$16262$bb4e3ad8@newscene.com>,
nothere@notthere.com says...
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d6f1474f56aaeec989c5f@news-server.columbus.rr.com...
> > In article <4305486f$0$16199$bb4e3ad8@newscene.com>,
> > nothere@notthere.com says...
> >> "Beer Guy" <joseph@mylifeisbeer.com> wrote in message
> >> news:1124295868.407966.95230@z14g2000cwz.googlegroups.com...
> >> >I have three Netgear FVS114 FW v1.0 VPN Firewall Routers that I have
> >> > set up at different locations with an Aggressive - Both Directions
> >> > "gateway-to-gateway" IPSEC VPN connection between them. I am using
> >> > fully qualified domain names as IDs for the three gateways.
> >> >
> >> > There are two issues I am experiencing:
> >> >
> >> > 1. When any of the FVS114s are configured with an IKE and VPN policy
> >> > they will run for 30 minutes to an hour (with the tunnel functioning),
> >> > at which point they will lock up so that they will not respond to pings
> >> > from the LAN or the WAN side, will not pass data on the LAN or to the
> >> > WAN, and cannot be logged into via the administration page.
> >> >
> >> > 2. While the VPN tunnel functions on initial configuration of the
> >> > policies, when the FVS114 is rebooted (either by soft reboot from the
> >> > administration page or by pulling the power cord after the FVS114 has
> >> > locked up) the VPN tunnel is not reestablished. If I try to edit the
> >> > IKE policy after a restart I get an error message: "ERROR: no
> >> > matching policy found".
> >> >
> >> > These two problems occur on all three FVS114s.
> >> >
> >> > I realize this might not be the best group to post this question but I
> >> > am getting little help from the Netgear forum and no help as of today
> >> > from Netgear Support.
> >> >
> >>
> >> Netgear, Dlink, Linksys - low end taiwanese networking products - are all
> >> considered pretty pokey for anything more than basic networking
> >> functions.
> >> They tend have issues when you push them to hard, this is especially true
> >> of
> >> VPN products. I've seen some of the specs on Netgear VPN products and
> >> would
> >> not recommend them in any sort of "needs to be working smoothly 99.9% of
> >> the
> >> time" scenario.
> >>
> >> This is the difference between low end products trying to be something
> >> they
> >> aren't, and better quality products with a lot more experience in the
> >> field.
> >>
> >> If you want it to work reliably you need to move to a more professional
> >> product (ie, Sonicwall, Juniper, etc).
> >
> > I have used Linksys BEFVP41 units and Netgear VPN units many times
> > without any problems to make a site-to-site VPN connection for remote
> > users. We even hang one off a spare IP to tunnel into our firewall and
> > then pass 20GB files through it back and forth just to test them - done
> > for weeks at a time - didn't see any issues with using a 4mbps IPsec
> > connection in site-to-site mode during the weeks long testing.
> >
> > If I had my choice I would have purchase a firewall appliance, but it
> > was good to test these very low end units.
> >
>
> Well everytime I've come across them they've fallen over, particularly under
> load or in difficult scenarios were routing and NAT in the way breaks the
> IPSEC tunnels. The showed up particularly badly when connected to a bigger
> appliance such as a Netscreen or Sonicwall - which would usually overwhelm
> the Negear resulting in either a lockup or just plain packetloss. The unit
> specified has a 200Mhz CPU, no VPN accelerator... you can imagine how that
> would handle under load.

I setup our to connect back to a WatchGuard Firebox III or II or X
series as a dedicated VPN appliance. The WatchGuard subnets are always
different than the remote network subnet (internal). So, if I use
192.168.10.x/24 and 192.168.11.x/24 for the WG I would use
192.168.128.0/24 for the first remote VPN end-points network, then 129+
for each additional. Never have the remote LAN with the same subnet as
the local.

We have users doing Domain Logins and passing all their work all day
across them, so there has got to me some other issue on your end.


--

spam999free@rrohio.com
remove 999 in order to email me