Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 4724 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

V17-MR5 IPSec VPN - I got it to be stable - but no traffic

GaryChancellor

Just upgrade both sites to MR5. I was stable up through MR5. After first site went to MR5, I had to manually restart the connections, but it did reconnect and was stable and still worked. After upgrading the 2nd site - not stable and no traffic - I am now joining the V17 IPSec mess.

Both of my sites are XG135. Here is what I used to get them stable:

Created a new IPSec profile in my main office with:

Key exchange: IKEv2

Authentication Mode: Main Mode

Key Negotiation Tries: 0

Phase 1:

Key Life: 12600

Re-key Margin: 360

Randomize Re-Keying Marge by: 100

DH Group (only 1 selected): 14 (DH2048)

Encryption: AES128 (AES256 did not seem to work)

Authentication: SHA2 256

(only 1 Algorithm combination)

Phase 2

PFS Group: Same as Phase-1

Key Life: 5400

Encryption: AES128

Authentication: SHA2 256

Dead Peer Detection

Check Peer After Every: 30

Wait for Response Up to: 120

When Peer is Unreachable: Re-Initiate

 

Then on the branch office side, I created a new profile with:

-- all the same settings as above, except --

Dead Peer Detection

When Peer is Unreachable: Disconnect

 

For the IP Sec connections, on my main office I set the "Gateway Type" to "Initiate the Connection" and at my branch office I set it to "Respond Only".

All of my other settings carried over from V15/V16/V17-MR3

My firewall rules were the same from V15/V16/V17-MR3. However, I now suspect the firewall rules may not be working, but I am not sure why.

Any insights from others would be helpful.

Regards,

Gary



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    Could you please attempt changing your IPsec profile to the recommended settings listed here.
    Also please share the logs entries that you are observe when performing a packet capture for your IPsec VPN tunnel traffic.

    Thanks,

    FloSupport | Community Support Engineer

  • 0 in reply to FloSupport

    For this particular issue, it was resolved with a call to Sophos support. In this case, an additional CISCO VPN Client (for remote VPN service for Apple iOS devices) had a shared subnet with the target LAN. While it worked previously, it was causing routing failures after the upgrade to V17-MR5. Once it was assigned a separate subnet the issue cleared up. There was little to no indication of what was happening other than one firewall block on the remote in the packet capture. Kudos to Sophos support for finding it. It all worked previously in V15/V16 and V17 MR3 but not in V170-MR5.

    Regards,

    Gary

Reply
  • 0 in reply to FloSupport

    For this particular issue, it was resolved with a call to Sophos support. In this case, an additional CISCO VPN Client (for remote VPN service for Apple iOS devices) had a shared subnet with the target LAN. While it worked previously, it was causing routing failures after the upgrade to V17-MR5. Once it was assigned a separate subnet the issue cleared up. There was little to no indication of what was happening other than one firewall block on the remote in the packet capture. Kudos to Sophos support for finding it. It all worked previously in V15/V16 and V17 MR3 but not in V170-MR5.

    Regards,

    Gary

Children
No Data