So, after extensive investigation, I've determined on SFOS 17.0.6 MR-6 using an XG 210 there is a bug with IPsec policies. Essentially, you can create an IPsec VPN, create the IPsec policy, and apply everything - the end result is in the web interface of the sophos it appears that the policy is applied, however, it in fact does not. The VPN fails to connect, and it "looks" like there is some sort of issue with the phase 1 & 2 settings of the policy.
Here's the catch. If I clone the policy, make zero changes, and apply the cloned policy to the same IPsec VPN - the VPN's will come up without any issues. Sometimes, this process has to be repeated 4 or 5 times, but, eventually it works. No change to settings.
I wasted hours and hours fighting with this, and I'm sure others have as well - so to my fellow net admins out there, if you're having an issue with an IPsec VPN and you *KNOW* that the IPsec policies are correct, trying cloning the policy, and applying it to your VPN, and see if it comes up - I think you might be surprised. If it doesn't work the first time, try doing it a few times - the key is to not change any values of the policy, but rather just clone and apply to the VPN you're having trouble with.
To Sophos - is this a known issue? If it's not, I'd like to submit config/logs/etc to get it to the dev's for the next firmware release.
This thread was automatically locked due to age.
