Just upgrade both sites to MR5. I was stable up through MR5. After first site went to MR5, I had to manually restart the connections, but it did reconnect and was stable and still worked. After upgrading the 2nd site - not stable and no traffic - I am now joining the V17 IPSec mess.
Both of my sites are XG135. Here is what I used to get them stable:
Created a new IPSec profile in my main office with:
Key exchange: IKEv2
Authentication Mode: Main Mode
Key Negotiation Tries: 0
Phase 1:
Key Life: 12600
Re-key Margin: 360
Randomize Re-Keying Marge by: 100
DH Group (only 1 selected): 14 (DH2048)
Encryption: AES128 (AES256 did not seem to work)
Authentication: SHA2 256
(only 1 Algorithm combination)
Phase 2
PFS Group: Same as Phase-1
Key Life: 5400
Encryption: AES128
Authentication: SHA2 256
Dead Peer Detection
Check Peer After Every: 30
Wait for Response Up to: 120
When Peer is Unreachable: Re-Initiate
Then on the branch office side, I created a new profile with:
-- all the same settings as above, except --
Dead Peer Detection
When Peer is Unreachable: Disconnect
For the IP Sec connections, on my main office I set the "Gateway Type" to "Initiate the Connection" and at my branch office I set it to "Respond Only".
All of my other settings carried over from V15/V16/V17-MR3
My firewall rules were the same from V15/V16/V17-MR3. However, I now suspect the firewall rules may not be working, but I am not sure why.
Any insights from others would be helpful.
Regards,
Gary
This thread was automatically locked due to age.
