Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 29 subscribers
  • Views 12588 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site VPN and firmware V 17 MR8

Terry Bennett

OK,

I have two XG units.  An XG 135 in my main location, and an XG 105 in a remote office in China.

Both units run : SFOS 16.05.8 MR-8 Firmware

 

I have attempted to update both units to Firmware SFOS 17.0.8 MR-8.  The moment I do this, my IPSEC Site to Site VPN goes down and will not come back up.  I have rebooted both units repeatedly.

 

This is a significant pain in the rear when this happens, because once I lose that VPN connection, I generally have to wait 12 hours or so for someone to get into the China office, use the regular Internet connection to remote into a desktop computer their, connect to the China XG105, and then revert back to the 16 Firmware.

The fact that I can remote into a desktop computer and connect to the firewall as if I was connected to it locally tells me that the unit is working and that the firmware is ok.  

There has to be something wrong with IPSec Site to Site VPN on Firmware 17.  This is the second time I have attempted this.  Several months ago I did the update when I believe the 17 firmware was on MR1 or 2....  Didn't work then either.

So what's different?  I have not modified my VPN setting in any way while going from 16 Firmware to 17 firmware.  I would just assume that it should work.

Thanks in advance for any suggestions or help.

The 17 firmware also throws a services error of something like:  strongswan DEAD

 

Terry

 



This thread was automatically locked due to age.
Parents
  • 0

    Hey Terry, I know you actually have a site to site IPSec connection between China and another country, may I ask what encryption you have working. We have been struggling with our IPSec client software establishing a China->Canada connection with the Sophos XG firewall and for the life of me not sure what is actually working. The current client IPSec configuration works everywhere but China. I do know one of clients using a Checkpoint device is having zero issues using their IPsec config back to Canada from our China location so not sure if its the XG firewall is the problem. Thank you.

  • 0 in reply to SophosNewby

    Hi,

    Yes, we do have a working China->Canada IPSec connection.  It works most of the time. It does drop from time to time (Thank you Great Firewall of China and the Chinese Government), but does work.  Both my XG units are still on the 16 firmware because the 17 Firmware IPSEC IS BROKEN STILL.

     

    Ah, Policy is DefaultHeadOffice.  Hope that helps.

     

    Terry

     

  • 0 in reply to Terry Bennett

    Hi,

    yes this option is only in V17.

     

    Basically there are several "to do´s" after updating to V17 if you experience issues in IPsec.

    1. Delete all the auto converted IPsec Policys and "rebuild" them as needed. 

    2. If you have a V16 / cyberoam peer, use the SHA 2 truncation into 96 bit

    3. Double check the Policy in case of a type (no - i am not kidding). 

     

    Cheers

     

  • 0 in reply to LuCar Toni

    That will be a hard no on my part.

     

    I will wait until it is actually fixed and I don't have to do any cludged steps or invent some rube-goldberg machine just to get it to work.  Thank you for the input though.

     

    Terry

     

Reply Children
  • 0 in reply to Terry Bennett

    Hi,

    actually i dont think this will be fixed. Those are steps which are needed, if you will do the update to V17. 

    If you do a "scratch installation" on v17, there should not be any issues. 

    actually i have X IPsec Tunnels working fine in V17.1 without any issue. 

    Please keep in mind, V16 will go "End of Life" sometimes.