- NG Firewall firmware versions 4.2.x, 5.0.x, 5.2.x
- netfence firmware versions 4.2.x
A Site-2-Site VPN tunnel between two NG Firewall gateways uses ESP as transport mode. The tunnel is established but no data can be sent through the tunnel.
An ESP Site-2-Site VPN tunnel uses two different connection types:
A UDP session on port 691 for status and KeepAlive messages and an ESP connection for the payload transport. Some routers - especially DSL routers for home accounts and cable modems - block ESP traffic.
Since the KeepAlive and status messages are sent via the UDP connection that is not blocked, it seems as if the tunnel was online. The netfence gateways are not able to check whether the ESP traffic was delivered successfully to the partner gateway or not.
Change to transport mode from ESP to TCP or UDP.