VPN connection times out. DG834G or different ISPs?

Hi there,

I'm having a bit of a problem with an intermittent VPN connection
between two Netgear DG834G routers and was wondering if anyone in a
similar situation can share experiences.

Basically, when the connection works it does so great, allowing
computers on one LAN to see network shares & printers on the other. But
for many hours at a time the VPN doesn't work at all.

Looking at the logs of one of the routers I see:

Thu, 2006-01-19 18:06:45 - added connection description "WibbleCo"
Thu, 2006-01-19 18:06:45 - adding interface ipsec0/ppp0 123.123.123.123
Thu, 2006-01-19 18:06:55 - [WibbleCo] terminating SAs using this
connection
Thu, 2006-01-19 18:06:56 - [WibbleCo] initiating Main Mode
Thu, 2006-01-19 18:07:06 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 20s for response
Thu, 2006-01-19 18:07:26 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 40s for response
Thu, 2006-01-19 18:08:06 - [WibbleCo] max number of retransmissions
reached STATE_MAIN_I1. No acceptable response to our first IKE message
Thu, 2006-01-19 18:08:12 - [WibbleCo] terminating SAs using this
connection
Thu, 2006-01-19 18:08:13 - [WibbleCo] initiating Main Mode
Thu, 2006-01-19 18:08:23 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 20s for response
Thu, 2006-01-19 18:08:43 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 40s for response
Thu, 2006-01-19 18:09:23 - [WibbleCo] max number of retransmissions
reached STATE_MAIN_I1. No acceptable response to our first IKE message

This continues for several hours or for a day or two, until the VPN
decides to reconnect:

Thu, 2006-01-19 18:27:18 - added connection description "WibbleCo"
Thu, 2006-01-19 18:27:18 - adding interface ipsec0/ppp0 12.12.12.12
Thu, 2006-01-19 18:27:28 - [WibbleCo] terminating SAs using this
connection
Thu, 2006-01-19 18:27:29 - [WibbleCo] initiating Main Mode
Thu, 2006-01-19 18:27:39 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 20s for response
Thu, 2006-01-19 18:27:59 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 40s for response
Thu, 2006-01-19 18:28:39 - [WibbleCo] max number of retransmissions
reached STATE_MAIN_I1. No acceptable response to our first IKE message
Thu, 2006-01-19 18:28:45 - [WibbleCo] terminating SAs using this
connection
Thu, 2006-01-19 18:28:46 - [WibbleCo] initiating Main Mode
Thu, 2006-01-19 18:28:56 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 20s for response
Thu, 2006-01-19 18:29:16 - [WibbleCo] STATE_MAIN_I1: retransmission;
will wait 40s for response
Thu, 2006-01-19 18:29:17 - [WibbleCo] responding to Main Mode
Thu, 2006-01-19 18:29:17 - [WibbleCo] sent MR3, ISAKMP SA established
Thu, 2006-01-19 18:29:17 - [WibbleCo] responding to Quick Mode
Thu, 2006-01-19 18:29:19 - [WibbleCo] IPsec SA established
Thu, 2006-01-19 18:29:56 - [WibbleCo] max number of retransmissions
reached STATE_MAIN_I1. No acceptable response to our first IKE message
Thu, 2006-01-19 18:37:58 - [WibbleCo] DPD: No response from peer -
declaring peer dead
Thu, 2006-01-19 18:38:10 - [WibbleCo] terminating SAs using this
connection
Thu, 2006-01-19 18:38:12 - [WibbleCo] initiating Main Mode
Thu, 2006-01-19 18:38:12 - [WibbleCo] ISAKMP SA established
Thu, 2006-01-19 18:38:13 - [WibbleCo] sent QI2, IPsec SA established
Thu, 2006-01-19 18:38:38 - [WibbleCo] received Delete SA payload:
deleting ISAKMP State #5
Thu, 2006-01-19 18:38:48 - [WibbleCo] IPsec SA expired
Thu, 2006-01-19 18:38:53 - [WibbleCo] terminating SAs using this
connection
Thu, 2006-01-19 18:38:54 - [WibbleCo] initiating Main Mode
Thu, 2006-01-19 18:38:54 - [WibbleCo] ISAKMP SA established
Thu, 2006-01-19 18:38:55 - [WibbleCo] sent QI2, IPsec SA established

Now I believe this is a simple internet-conjestion / latency / time-out
sort of issue, but I've never installed a VPN before, so I'd really like
feedback from others in a similar situation.

The problem is that the customer asked me to set up her new office
network for her (having set up her home previously), told me she'd
already ordered AOL ADSL and *then* told me she'd like to access from
the office files on her network share at home. She's on BT broadband at
home.

My gut instinct is that if both routers were on the same ISP -
preferably a good quality ISP like Eclipse or A&A - then the VPN would
work great all the time, but I don't want to be in a position in which I
recommend this, she spends big money to buy out of her 12-month contract
with AOL and then it doesn't work.

So is anyone using VPN between two DG834Gs successfully, please?
Has anyone had problems with a VPN between routers on different ISPs?
(and did you resolve this by changing ISP?)
Is anyone with an ISP who will stand up & say "hey, we support VPNs?"
(Ha! Yeah, right!)

The two routers are set up with one shifted onto a different subnet from
the default, as described in the manual, then as "mirrors" of each other
using the VPN wizard. They use dyndns accounts to give resolvable
hostnames & often one can ping the other site when the VPN is down.
Because the VPN works (about) half the time I can't see a configuration
issue.

Thanks for any advice,

Stroller.

Stroller wrote:
> Hi there,
>
> I'm having a bit of a problem with an intermittent VPN connection
> between two Netgear DG834G routers and was wondering if anyone in a
> similar situation can share experiences.
>
> Basically, when the connection works it does so great, allowing
> computers on one LAN to see network shares & printers on the other.
> But for many hours at a time the VPN doesn't work at all.
< detail snipped>

Whilst I can't comment directly upon your situation, I had a DG814 router
(firmware 4.11) which I never had much luck when making two VPN connections.
They would never both stay connected, and even one would not last that long.
I then tried a very cheap router from Addon. This has been working (and
connected) for the last 9 days.
No other hardware or software was changed at this time.

In article <(E-Mail Removed)>,
"Grumps" <(E-Mail Removed)> wrote:

> Stroller wrote:
> > Hi there,
> >
> > I'm having a bit of a problem with an intermittent VPN connection
> >...
> > Basically, when the connection works it does so great, allowing
> > computers on one LAN to see network shares & printers on the other.
> > But for many hours at a time the VPN doesn't work at all.
> < detail snipped>
>
> Whilst I can't comment directly upon your situation, I had a DG814 router
> (firmware 4.11) which I never had much luck when making two VPN connections.
> They would never both stay connected, and even one would not last that long.

Hi,

Thanks for your reply. You experienced this problem using two DG814s,
both connected to the same ISP?

> I then tried a very cheap router from Addon. This has been working (and
> connected) for the last 9 days.

That wouldn't be this one, would it? http://tinyurl.com/88px2
From the photo it looks distinctly like the Conexant one also sold by
Sweex and other "brands". I've found these a real PITA to set up in the
past (and swore I'd never touch one again, but I might have to withdraw
that if they'd fix my problem!!)

Stroller.

Stroller wrote:
> In article <(E-Mail Removed)>,
> "Grumps" <(E-Mail Removed)> wrote:
>
>> Stroller wrote:
>>> Hi there,
>>>
>>> I'm having a bit of a problem with an intermittent VPN connection
>>> ...
>>> Basically, when the connection works it does so great, allowing
>>> computers on one LAN to see network shares & printers on the other.
>>> But for many hours at a time the VPN doesn't work at all.
>> < detail snipped>
>>
>> Whilst I can't comment directly upon your situation, I had a DG814
>> router (firmware 4.11) which I never had much luck when making two
>> VPN connections. They would never both stay connected, and even one
>> would not last that long.
>
> Hi,
>
> Thanks for your reply. You experienced this problem using two DG814s,
> both connected to the same ISP?

No. I was using a DG814, the other end was using a BT provided box. The ISPs
are different too.

>> I then tried a very cheap router from Addon. This has been working
>> (and connected) for the last 9 days.
>
> That wouldn't be this one, would it? http://tinyurl.com/88px2

No. My box is black with the number Addon ARM8100. I haven't seen it online
recently. It was given to me by my IT manager for use at home.

> From the photo it looks distinctly like the Conexant one also sold by
> Sweex and other "brands". I've found these a real PITA to set up in
> the past (and swore I'd never touch one again, but I might have to
> withdraw that if they'd fix my problem!!)

Grumps wrote in article <news:(E-Mail Removed)>:

> I had a DG814 router
> (firmware 4.11)

4.11? Where did you get that from, please? The latest on the support
site has been 4.10 for years.

--
K. A. Nuttall
www.yammer.co.uk
Re-type the e-mail address how it sounds, remove .invalid

K. A. Nuttall wrote:
> Grumps wrote in article <news:(E-Mail Removed)>:
>
>> I had a DG814 router
>> (firmware 4.11)
>
> 4.11? Where did you get that from, please? The latest on the support
> site has been 4.10 for years.

Oops! My bad. 4.10 is what I was running. Funny thing is that I even checked
to see what version it had before I posted. I still got it wrong!

Stroller wrote:

> Is anyone with an ISP who will stand up & say "hey, we support VPNs?"
> (Ha! Yeah, right!)

There are ISPs out there who will support VPNs - but usually only if you buy
VPN routers, circuits and a maintenance contract from them. How much is
this VPN worth to your customer?

--
<http://ale.cx/> (AIM:troffasky) ((E-Mail Removed))
20:31:17 up 8 days, 46 min, 4 users, load average: 0.11, 0.11, 0.09
This is my BOOOOOOOOOOOOOOOOOOOOOMSTICK

In article <(E-Mail Removed)>, alexd <(E-Mail Removed)>
wrote:

> Stroller wrote:
>
> > Is anyone with an ISP who will stand up & say "hey, we support VPNs?"
>
> There are ISPs out there who will support VPNs - but usually only if you buy
> VPN routers, circuits and a maintenance contract from them. How much is
> this VPN worth to your customer?

Good question. Any such ISPs that spring to mind? I'd be glad to do some
homework & present the choice to my customer.

Stroller

Stroller wrote:
> In article <(E-Mail Removed)>, alexd <(E-Mail Removed)>
> wrote:
>
>> Stroller wrote:
>>
>>> Is anyone with an ISP who will stand up & say "hey, we support
>>> VPNs?"
>>
>> There are ISPs out there who will support VPNs - but usually only if
>> you buy VPN routers, circuits and a maintenance contract from them.
>> How much is this VPN worth to your customer?
>
> Good question. Any such ISPs that spring to mind? I'd be glad to do
> some homework & present the choice to my customer.

When I first had my issues with dropping VPN connections I asked my ISP,
Nildram, and they said there was nothing at their end that was causing the
problem. The other end of my VPN is through Mistral; and they have
definitely confirmed that they support VPN.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stroller wrote:
> Hi there,
>
> I'm having a bit of a problem with an intermittent VPN connection
> between two Netgear DG834G routers and was wondering if anyone in a
> similar situation can share experiences.
<snip>
> The problem is that the customer asked me to set up her new office
> network for her (having set up her home previously), told me she'd
> already ordered AOL ADSL and *then* told me she'd like to access from
> the office files on her network share at home. She's on BT broadband at
> home.

Sometimes the customers that say "I just want you to sort out everything"
make you glad...especially when others go and (con)sign themselves to AOL
for a year!


> My gut instinct is that if both routers were on the same ISP -
> preferably a good quality ISP like Eclipse or A&A - then the VPN would
> work great all the time, but I don't want to be in a position in which I
> recommend this, she spends big money to buy out of her 12-month contract
> with AOL and then it doesn't work.

Well it's especially so with AOL, they seem to like traffic filtering
(HTTP, SMTP etc.) and otherwise generally messing with anything between the
originating PC and it's traffic's destination.


> So is anyone using VPN between two DG834Gs successfully, please?
> Has anyone had problems with a VPN between routers on different ISPs?
> (and did you resolve this by changing ISP?)
> Is anyone with an ISP who will stand up & say "hey, we support VPNs?"
> (Ha! Yeah, right!)

A&A are geared up to provide proper "technical" tech support and have a no
bullshit policy, i.e. if a staff member doesn't know something they say so,
then find it out. I'm also pretty sure they can help with such issues by
running a packet trace on the line. They also quite often stand up and say
"hey, we support xyz!" where xyz can be all number of things :-)


> The two routers are set up with one shifted onto a different subnet from
> the default, as described in the manual, then as "mirrors" of each other
> using the VPN wizard. They use dyndns accounts to give resolvable
> hostnames & often one can ping the other site when the VPN is down.
> Because the VPN works (about) half the time I can't see a configuration
> issue.

Have you tried taking dyndns out of the equation, just in case? It's
interesting how when it "works", it says the SA is established but then
goes on to say there's no response to "our first IKE message".
What sort of packet loss do you get from one host to the other, does it
seem clear and consistent?

One thing I've found with various router manufacturers is something wrong
that doesn't make sense is often fixed by doing a factory restore to
default settings. Thus the quality of these things is proven ;-)

HTH

Adam Piggott, Proprietor, Proactive Services (Computing).
http://www.proactiveservices.co.uk/

Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFD1fp/7uRVdtPsXDkRAt+2AJ9SUWQLdXPEfkJe6jqo9QwFvtPoEwCdEp EL
YDztYdbzJEydF+yITKoBXUo=
=88B3
-----END PGP SIGNATURE-----