Site to Site ipsec

Hey ViciousMagician1116 

I would advise to schedule downtime and upgrade the rest of your XG firewall appliances to SFOS 17.0.6 MR-6 for consistency among the tunnels. Please let me know if you still experience issues after performing this. 

Regards,

FloSupport | Community Support Engineer

Im afraid to upgrade the other one (only have 3) since i can't get this one to make a tunnel at all.

I have made a new copy of the defaultHeadOffice and defaultremoteoffice ipsec profiles edited the weaker security in them make sure they matched on both the Main XG and the remote XG.  Assigned each one to the tunnel.  Still no go. Even rebooted both XG units and nothing. 

Did you delete the old IPsec connection completely and create a new one? What log messages are being generated?

Regards,

FloSupport | Community Support Engineer

You do not need to be afraid. Just upgrade them and if it does not work you can rollback to the other firmware. ;)

I tried to make a copy and also delete the connection at both XG's.  Even tried using new keys.  They will not connect anymore.  I also tried to roll the remote XG back to 1703 and it will not connect like that either.  

What logs should I be looking at?  In the System Log I see this:  peer did not respond to initial message 31 followed by parsing IKE message from 123.123.123.123[500] failed

I tried using the wizard to create new connection on each end, still fails with the same message.  

Try the following:

1. Upgrade both appliances to MR6
2. Delete all VPN profiles
3. Make custom IKEv2 policies out of the default ones with only one crypt setting in each phase
   1. Make sure that DPD times are the same on both sites except one should be set to initiate and the other to disconnect
   2. Make sure that the Key Negotiation Tries are set to 0 on the initiating site.
4. Recreate the VPN policies
   1. Make sure the PSK matches
   2. Make sure that networks are matching just the other way round.
   3. Make sure to set the Gateway Address if possible on both sites

With these settings I was able to get IPsec connections running stable. I hope that helps you.

Try the following:

1. Upgrade both appliances to MR6
2. Delete all VPN profiles
3. Make custom IKEv2 policies out of the default ones with only one crypt setting in each phase
   1. Make sure that DPD times are the same on both sites except one should be set to initiate and the other to disconnect
   2. Make sure that the Key Negotiation Tries are set to 0 on the initiating site.
4. Recreate the VPN policies
   1. Make sure the PSK matches
   2. Make sure that networks are matching just the other way round.
   3. Make sure to set the Gateway Address if possible on both sites

With these settings I was able to get IPsec connections running stable. I hope that helps you.

Both of these are fully upgraded.

I tried this before but I did it again from scratch.  Copied the ikev2 to a new policy on each xg and edited it just as you said, only 1 algorithm per phase.  Remote site is set to 0 Key tries - Head Office set to 3.  DPD the remote is re-initiate - Head office is disconnect.  Everything else matches in the ipsec policy.  

Now when i activate the connection on each end i get this in the log:  creating local authentication data failed

If it helps, at the head end the log shows peer authentication failed

Hi ViciousMagician1116 

Please log a support case with us and PM me with the support case number so that we can investigate this issue further.

Thanks,

FloSupport | Community Support Engineer

Ok I just opened a case

This is solved after the support call.  It seems that at least for my setup that i needed to use the IP not DNS in the ipsec connection - Remote Gateway - Gateway Address.  Don't know why but when we put in the IP instead of the FQDN it just worked again.  

This could be because of the related changes: community.sophos.com/.../131814

I was facing the same issue when trying to establish an IPSEC to a PFSense 2.3 firewall.

My solution was the same. Change remote gateway from dnsname to ip.

Thanks for the information.