Balance 20 and IPSEC VPN to third party peer


#1

I realize that Peplink only officially supports IPSEC to two other vendors. I also realize that unofficially it can work on additional endpoints. Unfortunately I have not been able to get it to work on one of mine.

I have a few remote sites that I need site-to-site VPN. Unfortunately, over the years I have a collected a varied set of VPN routers. I used to primarily stick to Sonicwall for the very issue of VPN compatibility (and other reasons). I have some Sonicwall to Sonicwall connections and I have a Sonicwall to Netgear FVS338. Unfortunately, I need to set up a new site to also VPN to the FVS338. I have a Balance 20 (my first Peplink) I am trying at the new site. I can not get the VPN to work. No matter what I do, I get INVALID_ID at the start of phase 1 ike. I basically copied the setup I have working between the Sonicwall and the FVS to the Peplink but it simply won’t work.

Based on the limited error messages, I am pretty sure that the issue is in the remote/local IDs. As you know the IDs can be at least either IPV4, FQDN, email/text, or DN. On both the FVS and Sonicwall you can select the identity type as well as the identity data. On the Balance you can not select the type. I don’t know if the balance is smart enough to automatically detect the ID type based on teh ID data the user enters and adjust the msg accordingly, or not. I have tried Main and aggressive mode, I have tried all of the ID options except DN (I don’t have any x.509 certs), but no matter what I do I get INVALID_ID at the FVS or Local/Remote ID mismatch on the Peplink. Again the same config/IDs works fine on the Sonicwall to FVS. Both the FVS and the Peplink have little to no logging so I can’t see what is really going on during the exchange. I tried this on 6.1.2.

Since my VPN endpoint is not officially supported I don’t expect anything to be done, but should you look at expanding the VPN compatibility, I would be interested. In the mean time, I will just have to put an old Sonicwall behind the Peplink and just run the VPN traffic from behind it. I have tested that and it passes through the Peplink just fine. Having the Peplink by its self would have been nice…


#2

Hi,

Appreciate if you can open ticket here for further investigation.


#3

Thanks. Since technically what I am trying to do is not supported I was not sure if I should submit a ticket or not. Ticket has been opened.


#4

I spent many hours trying to make my balance 30 connect to a 2008 R2 server via IPSEC. It will get the phase 1 main mode up OK, but fails every time in phase 2 with errors at the server end - incomplete message, or protocol errors during the first message sent from the peplink in phase two.

It would be nice to have the peplink IPSEC fixed, so it did comply with the IPSPEC specifications properly. Currently it seems to only embrace a portion of the spec.


#5

Peplink has the advantage and specializes in a proprietary VPN that is superior over IPsec. We even added PepVPN to the Balance 20/30 models as well. It is understood that you may need to terminate IPsec with other third party routers.

As TK mentioned, we can look at this but cannot guarantee it to work with every router out there. Our resources are primarily focused on PepVPN/SpeedFusion. Our solution is easy to use, and we are proud of this technology which provides for an “unbreakable VPN” that can also bond your internet connections to increase bandwidth.


#6

IPSEC is a published standard, and it would seem the Peplink implementation is not built properly. But yes, please do leave it broken so we are forced into your non standard proprietary offerings.


#7

It looks like everything is working now. Thanks to Peplink support that pointed me in the right direction of what the Peplink was looking for in the ID fields for aggressive mode. I have been able to establish IPsec links (and pass data) with both an old Netgear FVS338 and a Sonicwall TZ 210 (the Peplink to Sonicwall was much easier to get working). The ID fields had to contain an @ symbol and is data type user_FQDN, firewall identifier, user name, etc (called various data types by different manufacturers). Things are definitely looking better.

I think it is fine that Peplink has a better solution. For people starting up a greenfield, that is great. Odds are though, that there is a decent market out there of users with an installed base of other equipment that they are looking for something new that fits a need that the current equipment does not. In that case, it makes it much easier to get a Peplink in the door if it works nicely with the installed base. Then, if Peplink has a better solution perhaps they buy more Peplink’s as they replace older units or have additional needs. If the Peplink does not play well with others, it may get passed over and never get a shot.

That was my situation. For my new site, I needed a router with a robust 3g/4g usb WAN. I use, or have used, Sonicwall, Cradlepoint, Asus, Netgear, EnGenius, etc but for one reason or another they were coming up short for what I needed in this particular case. That lead me to try Peplink. My research indicated that they had good 3g/4g usb modem capabilities (I hope that is true). If I had not been able to get IPsec working, they would have been like the others with a major flaw. Right now they are looking pretty good. I do wish the logging was better. I am used to Sonicwall where you can log anything and everything which really, really helps in troubleshooting. Unfortunately Sonicwall currently has poor 3g/4g capability.


#8

That is not what we meant. IPsec is a published standard but it is notorious for its complexity and “loose” nature, meaning that the industry has been spending a lot of time in ironing out interoperability. The same is true for the SIP protocol.

Peplink responded to customer requests in good faith to support IPsec. We knew it would be a big challenge and we have to make a hard balance between product quality, customer support and development resources. The rest is history.

Even we just officially claim support for a number of vendors, often times, as you can see here, our team will reach out and do our best to support individual customers on their IPsec requirements. It’s just that we cannot guarantee it will work beautifully every single time - because we can only control one side of the IPsec tunnel.

Anyway, of course we are promoting PepVPN/SpeedFusion as a superior VPN solution but that doesn’t mean we leave IPsec broken on purpose. That claim would be over the line.