Highlighted
Level 2: Rookie

Issues with Telstra Modem - VPN Passthrough

Hi Everyone,

 

I have an issue with a VPN connection that we have configured on a separate Watchgaurd firewall/router device that is sitting in the DMZ of the current Telstra Netgear  V7160 modem.

 

The V7610 is setup with the DMZ so that all trafffic will pass through to the Watchguard device which has all the rules/dhcp/BO VPN configuration.

 

The issue is that the BO-VPN connection will only work for a limited period of time (random) before it drops and never comes back again.

 

Looking at the Watchguard VPN status: it gives the error: 

Message retry timeout. Check the connection between local and remote gateway endpoints.

 

On the Netgear side I can see the following logs:


syslog: 14[IKE] [DATACENTRE IP ADDRESS] is initiating a Main Mode IKE_SA Wednesday, June 03, 2020 18:34:34
syslog: 14[IKE] [DATACENTRE IP ADDRESS] is initiating a Main Mode IKE_SA Wednesday, June 03, 2020 18:34:34
syslog: 14[ENC] generating ID_PROT response 0 [ SA V V V V V ] Wednesday, June 03, 2020 18:34:34
syslog: 14[NET] sending packet: from [TELSTRA WAN IP][500] to [DATACENTRE IP ADDRESS][500] (172 bytes) Wednesday, June 03, 2020 18:34:34
syslog: 11[NET] received packet: from [DATACENTRE IP ADDRESS][500] to [TELSTRA WAN IP][500] (220 bytes) Wednesday, June 03, 2020 18:34:34
syslog: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Wednesday, June 03, 2020 18:34:34
syslog: 11[IKE] faking NAT situation to enforce UDP encapsulation Wednesday, June 03, 2020 18:34:34
syslog: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Wednesday, June 03, 2020 18:34:34
syslog: 11[NET] sending packet: from [TELSTRA WAN IP][500] to [DATACENTRE IP ADDRESS][500] (244 bytes) Wednesday, June 03, 2020 18:34:34
syslog: 13[JOB] deleting half open IKE_SA after timeout Wednesday, June 03, 2020 18:35:04
syslog: 13[JOB] [Netgear]&[strongSwan, connection fail] [DATACENTRE IP ADDRESS]: deleting half open IKE_SA after timeout Wednesday, June 03, 2020 18:35:04
syslog: 06[NET] received packet: from [DATACENTRE IP ADDRESS][500] to [TELSTRA WAN IP][500] (188 bytes) Wednesday, June 03, 2020 18:35:14
syslog: 06[ENC] parsed ID_PROT request 0 [ SA V V V ] Wednesday, June 03, 2020 18:35:14
syslog: 06[IKE] received DPD vendor ID Wednesday, June 03, 2020 18:35:14
syslog: 06[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Wednesday, June 03, 2020 18:35:14
syslog: 06[ENC] received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:43:34:78:49:45:4a:4f:50:54:55:35:4e:54:51:77:4d:51:3d:3d Wednesday, June 03, 2020 18:35:14
syslog: 06[IKE] [DATACENTRE IP ADDRESS] is initiating a Main Mode IKE_SA Wednesday, June 03, 2020 18:35:14
syslog: 06[IKE] [DATACENTRE IP ADDRESS] is initiating a Main Mode IKE_SA Wednesday, June 03, 2020 18:35:14
syslog: 06[ENC] generating ID_PROT response 0 [ SA V V V V V ] Wednesday, June 03, 2020 18:35:14
syslog: 06[NET] sending packet: from [TELSTRA WAN IP][500] to [DATACENTRE IP ADDRESS][500] (172 bytes) Wednesday, June 03, 2020 18:35:14
syslog: 04[NET] received packet: from [DATACENTRE IP ADDRESS][500] to [TELSTRA WAN IP][500] (220 bytes) Wednesday, June 03, 2020 18:35:14
syslog: 04[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Wednesday, June 03, 2020 18:35:14
syslog: 04[IKE] faking NAT situation to enforce UDP encapsulation Wednesday, June 03, 2020 18:35:14
syslog: 04[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Wednesday, June 03, 2020 18:35:14
syslog: 04[NET] sending packet: from [TELSTRA WAN IP][500] to [DATACENTRE IP ADDRESS][500] (244 bytes) Wednesday, June 03, 2020 18:35:14
syslog: 13[JOB] deleting half open IKE_SA after timeout Wednesday, June 03, 2020 18:35:44
syslog: 13[JOB] [Netgear]&[strongSwan, connection fail] [DATACENTRE IP ADDRESS]: deleting half open IKE_SA after timeout Wednesday, June 03, 2020 18:35:44
syslog: 14[NET] received packet: from [DATACENTRE IP ADDRESS][500] to [TELSTRA WAN IP][500] (188 bytes) Wednesday, June 03, 2020 18:35:47
syslog: 14[ENC] parsed ID_PROT request 0 [ SA V V V ] Wednesday, June 03, 2020 18:35:47
syslog: 14[IKE] received DPD vendor ID Wednesday, June 03, 2020 18:35:47
syslog: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID Wednesday, June 03, 2020 18:35:47
syslog: 14[ENC] received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:43:34:78:49:45:4a:4f:50:54:55:35:4e:54:51:77:4d:51:3d:3d Wednesday, June 03, 2020 18:35:47
syslog: 14[IKE] [DATACENTRE IP ADDRESS] is initiating a Main Mode IKE_SA Wednesday, June 03, 2020 18:35:47
syslog: 14[IKE] [DATACENTRE IP ADDRESS] is initiating a Main Mode IKE_SA Wednesday, June 03, 2020 18:35:47
syslog: 14[ENC] generating ID_PROT response 0 [ SA V V V V V ] Wednesday, June 03, 2020 18:35:47
syslog: 14[NET] sending packet: from [TELSTRA WAN IP][500] to [DATACENTRE IP ADDRESS][500] (172 bytes) Wednesday, June 03, 2020 18:35:47
syslog: 11[NET] received packet: from [DATACENTRE IP ADDRESS][500] to [TELSTRA WAN IP][500] (220 bytes) Wednesday, June 03, 2020 18:35:47
syslog: 11[ENC] parsed ID_PROT request 0 [ KE No NAT-D NAT-D ] Wednesday, June 03, 2020 18:35:47
syslog: 11[IKE] faking NAT situation to enforce UDP encapsulation Wednesday, June 03, 2020 18:35:47
syslog: 11[ENC] generating ID_PROT response 0 [ KE No NAT-D NAT-D ] Wednesday, June 03, 2020 18:35:47
syslog: 11[NET] sending packet: from [TELSTRA WAN IP][500] to [DATACENTRE IP ADDRESS][500] (244 bytes) Wednesday, June 03, 2020 18:35:47
syslog: dnsproxy:error:999.545:sort_with_cname:185:########### new seq index = [0], host name is im8e-asd-001and002-n.business.connect.telstra.com Wednesday, June 03, 2020 18:36:03
syslog: dnsproxy:error:999.545:sort_with_cname:185:########### new seq index = [0], host name is im8e-asd-001and002-n.business.connect.telstra.com Wednesday, June 03, 2020 18:36:03
syslog: 06[JOB] deleting half open IKE_SA after timeout Wednesday, June 03, 2020 18:36:17
syslog: 06[JOB] [Netgear]&[strongSwan, connection fail] [DATACENTRE IP ADDRESS]: deleting half open IKE_SA after timeout Wednesday, June 03, 2020 18:36:17

 

I've spoken with Watchguard support and everything is ok on both ends in terms of configuration. 

 

When I restart the Netgear Modem, the VPN connection starts working again on the watchguard and after a period of time the vpn connection will drop again. Another restart of the Netgear modem will restore the VPN connection again so this confirms it is a Netgear modem issue. 

 

I've tried the following already:

 

Enable Port Forwarding for the VPN port 500, ( for IPSec VPN's), port 1723 for PPTP VPN's, and  port 1701 for L2tp- L2tp routing and remote access. Port 500 may be listed under the list of services. You can visit this link for more information on Port Forwarding: How do I configure Port Forwarding on routers with the NETGEAR genie interface?
          Note: Check if the WAN IP is Public or Private. Ports can be opened on Public IP addresses only.
By default the router's firewall is configured to drop (delete) ICMP packets sent from outside your network to the WAN port. Your VPN may require the ICMP packets. To accept them:
Log in to the router using a browser by typing http://192.168.0.1, http://routerlogin.com, http://routerlogin.net or http://192.168.1.1.
Type admin for the username and password for the password (unless you change the password from the default).
Select WAN Setup > Advanced > Respond to Ping on Internet Port.
Click Apply.


Please assist me as I need the VPN connection to be stable.

 

Looking at the netgear logs above in bold, perhaps there is issue on Telstra end ?

Perhaps is there a new firmware version that will address this issue?

Was this helpful?

  • Yes it was, thank you
  • No, I still need help
6 REPLIES 6
Highlighted
Level 20: Director
Level 20: Director

Re: Issues with Telstra Modem - VPN Passthrough

Have you considered contacting Telstra Platinum Support on 137587 to see if they can assist you with your situation. They should be able to confirm firmware status, if the IKE_SA issue is with the V7610 and if ICMP is to be activated in the Watchguard. These issues are not without complexity and a deep understanding of the security aspects of opening up ICMP on the secondary device. The Watchguard is a very sophisticated unit may be it can be configured to manage or filter authentic ICMP packets.   

Highlighted
Level 24: Supreme Being
Level 24: Supreme Being

Re: Issues with Telstra Modem - VPN Passthrough

Have enabled ICMP.? There was a issue not with a VPN but with USG connected to a Telstra modem dropping out every 24 hours, enabling ICMP on the USG fixed the problem

Highlighted
Level 2: Rookie

Re: Issues with Telstra Modem - VPN Passthrough

Hi CF4,

Telstra reset their links every 24 hours so the modems get a new I address. This happens because they dont want anybody setting up a permament service.  If your VPN is dropping out, this is most probably the cause.

Highlighted
Level 24: Supreme Being
Level 24: Supreme Being

Re: Issues with Telstra Modem - VPN Passthrough

Hi @Otto88 

 

Telstra connections only renew the IP leases every 24 hours but do not change the IP address. The IP address only changes when the link is disconnected and then reconnected. You can get a fixed IP address that doesn't change on link reconnection for an extra $10 a month.

Highlighted
Level 2: Rookie

Re: Issues with Telstra Modem - VPN Passthrough

I eventually found the fix to this issue.

 

I had existing VPN settings in the Telstra Smart Modem configured initially when I was trying to get the VPN working however with the limited feature set of the modem didn't work.

 

I removed all the VPN settings I had configured in the smart modem and then after doing that the VPN connection in the DMZ with the watchguard has been solid since!

Level 1: Cadet

Re: Issues with Telstra Modem - VPN Passthrough

Hi

 

I have a similar issue and I was hoping that you would please be able to share all the options that you ended up with being enabled (pass through, port forwarding, DMZ etc) as I currently hate this V7610...

 

Many thanks in advance

 

David

My Telstra

Manage your business services on your mobile with the My Telstra app.

Find out more