Site<->Site VPN connectivity issue

[ddrueding]

Was working fine this morning (and for the last 7 years), then dropped while unattended.

Each end has a Smoothwall firewall with VPN set up.
Both ends have internet connectivity.
Both ends show VPN as connected.
Both ends have routes programmed.
Tested with multiple devices, nothing on either end can ping anything on the other side (by IP or name).

Rebooted everything
Deleted and re-added VPN connection
Deleted and re-added static routes
tracert fails at the local smoothie

The only good news is that, since both internet connections are working, I can remote into both sides for troubleshooting.

Any advice would be most appreciated.

 

[Bozo]

I don't know if this applies to your problem, but we had computers stop connecting to each other because the clocks were too far off from each other.

 

[ddrueding]

An interesting point, but the clocks are all +/- 1 minute. This is also effecting multiple machines on either end that were working fine this morning and don't use any common infrastructure (DNS/NTP/AD).

 

[Howell]

What does a trace route from one side of the link toward the other look like?

 

[ddrueding]

It succeeds to the green interface of the local firewall (192.168.0.1 or 192.168.6.1) then times out.

 

[Howell]

That indicates that the tunnel is not actually up. Could something as mundane as the external IP address of the remote site have changed? The method you are using to remote in might make this obvious but I don't know what that is. Can we assume you have double checked the gateway and tunnel configurations making no assumptions?

 

[Howell]

My only other suggestion is that maybe the keys are not being generated properly. Try a different passphrase to test.

 

[Mercutio]

Can any VPN link stay up? Can you run an SSH tunnel between those two boxes, for example?

 

[ddrueding]

That indicates that the tunnel is not actually up. Could something as mundane as the external IP address of the remote site have changed? The method you are using to remote in might make this obvious but I don't know what that is. Can we assume you have double checked the gateway and tunnel configurations making no assumptions?

My only other suggestion is that maybe the keys are not being generated properly. Try a different passphrase to test.

I just removed the connection from both boxes and re-entered all the information based on actual settings (whatismyip.com, password in a text file and copy/pasted into both sides, etc). The connection showed as successful, but still no data will make it past the local firewall.

 

[ddrueding]

Can any VPN link stay up? Can you run an SSH tunnel between those two boxes, for example?

I'll start playing with this now.

 

[time]

Because it appears that nothing has changed on your side, I'd be looking at the ISP.

Eg: What can an ISP do to block IPSec traffic

 

[ddrueding]

Thanks for that time. One end is an ATT T-1, but the other is a local wireless ISP that I do quite a bit of work with. I'll give their head-tech a call and see if they've fooled with anything lately. If ATT blocked VPNs on their business connections it would be on Slashdot already.

 

[ddrueding]

Anyone here familiar with setting up VPN links on Netgear routers? Specifically between these two:

NETGEAR ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308

NETGEAR ProSafe VPN Firewall FVS336GV2

I'll give you remote access and happily pay at this point, so sick of this.

 

[ddrueding]

80% of the way there. Still having issues with the routing . I can ping the far gateway successfully from either end, but hitting some of the devices on the other end not so much.

 

[ddrueding]

Solved. No idea how, too tired to care. I'll do a full survey during documentation tomorrow.

 

[Howell]

Glad you got it fixed.