Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 29 subscribers
  • Views 12588 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site VPN and firmware V 17 MR8

Terry Bennett

OK,

I have two XG units.  An XG 135 in my main location, and an XG 105 in a remote office in China.

Both units run : SFOS 16.05.8 MR-8 Firmware

 

I have attempted to update both units to Firmware SFOS 17.0.8 MR-8.  The moment I do this, my IPSEC Site to Site VPN goes down and will not come back up.  I have rebooted both units repeatedly.

 

This is a significant pain in the rear when this happens, because once I lose that VPN connection, I generally have to wait 12 hours or so for someone to get into the China office, use the regular Internet connection to remote into a desktop computer their, connect to the China XG105, and then revert back to the 16 Firmware.

The fact that I can remote into a desktop computer and connect to the firewall as if I was connected to it locally tells me that the unit is working and that the firmware is ok.  

There has to be something wrong with IPSec Site to Site VPN on Firmware 17.  This is the second time I have attempted this.  Several months ago I did the update when I believe the 17 firmware was on MR1 or 2....  Didn't work then either.

So what's different?  I have not modified my VPN setting in any way while going from 16 Firmware to 17 firmware.  I would just assume that it should work.

Thanks in advance for any suggestions or help.

The 17 firmware also throws a services error of something like:  strongswan DEAD

 

Terry

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to dark moon

    Not sure if I want to install a further revision of the 17 Firmware if the previous versions do not work. 

    I do appreciate the response though. 

    I was hoping I would get that "aha" moment where someone says, you have to make this configuration change in 17 for it to work, or something like that.

    :)

     

    I guess I will have to wait until people actually have it running using an IPSec site to Site VPN successfully.

     

    Thanks again,

    Terry

     

  • 0 in reply to dark moon

    As well, I was just wondering.  If I update the firmware on one side only (Lets say the side that I am at ), to version 17 firmware and leave the remote location at V16 firmware, is there any chance that the Site to Site IPSec VPN will work?

    T

  • 0 in reply to Terry Bennett

    Terry Bennett said:

    As well, I was just wondering.  If I update the firmware on one side only (Lets say the side that I am at ), to version 17 firmware and leave the remote location at V16 firmware, is there any chance that the Site to Site IPSec VPN will work?

    T

     

     

    That should work.

  • 0 in reply to Support Chn

    Thanks for the reply support.  Well, when I just even update one side, the IPSec VPN will not come back up.

     

    Suggestions?

     

    Is it support ticket time.

  • 0 in reply to Terry Bennett

    Terry Bennett said:

    Thanks for the reply support.  Well, when I just even update one side, the IPSec VPN will not come back up.

     

    Suggestions?

     

    Is it support ticket time.

     

     

    I would reboot the firewall or upgrade to 17.1 on one side  and see if it helps. If that doesn't  work, it is time for support.

     

     

  • 0 in reply to Support Chn

    OK, I did reboot the devices several times and that didn't make a difference.  But, I did not go to 17.1 yet, because it is not showing up as an option in my XG yet.  I like to wait for them to show up at the Firewall level before considering upgrading.

     

     

  • 0 in reply to Terry Bennett

    Hi,

    you need to use SHA 2 truncation into 96 bit to get a V16 to V17 tunnel working.

    https://community.sophos.com/kb/en-us/127867

    Changed the daemon to strongswan.

    Cheers

  • 0 in reply to LuCar Toni

    IS that setting only available in the V17 Firmware?  I could not find it in the 16 firmware.  OK, so I just read that KB article, and I am not quite sure I understand.  The KB seems to assume both sides are on V17 I think.

    If I update to V17 on the remote site in China, then I will not have a connection to be able to go and change those settings.  That is the problem I am facing.  It becomes basically a 12 hour or more down time once I update the firmware in China.

    I don't find that acceptable.  I do appreciate the input though.  It feels like I am getting closer to an answer.

    Regards,

    Terry