Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 29 subscribers
  • Views 12586 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site VPN and firmware V 17 MR8

Terry Bennett

OK,

I have two XG units.  An XG 135 in my main location, and an XG 105 in a remote office in China.

Both units run : SFOS 16.05.8 MR-8 Firmware

 

I have attempted to update both units to Firmware SFOS 17.0.8 MR-8.  The moment I do this, my IPSEC Site to Site VPN goes down and will not come back up.  I have rebooted both units repeatedly.

 

This is a significant pain in the rear when this happens, because once I lose that VPN connection, I generally have to wait 12 hours or so for someone to get into the China office, use the regular Internet connection to remote into a desktop computer their, connect to the China XG105, and then revert back to the 16 Firmware.

The fact that I can remote into a desktop computer and connect to the firewall as if I was connected to it locally tells me that the unit is working and that the firmware is ok.  

There has to be something wrong with IPSec Site to Site VPN on Firmware 17.  This is the second time I have attempted this.  Several months ago I did the update when I believe the 17 firmware was on MR1 or 2....  Didn't work then either.

So what's different?  I have not modified my VPN setting in any way while going from 16 Firmware to 17 firmware.  I would just assume that it should work.

Thanks in advance for any suggestions or help.

The 17 firmware also throws a services error of something like:  strongswan DEAD

 

Terry

 



This thread was automatically locked due to age.
  • 0 in reply to SophosNewby

    Hi,

    Yes, we do have a working China->Canada IPSec connection.  It works most of the time. It does drop from time to time (Thank you Great Firewall of China and the Chinese Government), but does work.  Both my XG units are still on the 16 firmware because the 17 Firmware IPSEC IS BROKEN STILL.

     

    Ah, Policy is DefaultHeadOffice.  Hope that helps.

     

    Terry

     

  • 0 in reply to Terry Bennett

    Hi,

    yes this option is only in V17.

     

    Basically there are several "to do´s" after updating to V17 if you experience issues in IPsec.

    1. Delete all the auto converted IPsec Policys and "rebuild" them as needed. 

    2. If you have a V16 / cyberoam peer, use the SHA 2 truncation into 96 bit

    3. Double check the Policy in case of a type (no - i am not kidding). 

     

    Cheers

     

  • 0 in reply to LuCar Toni

    That will be a hard no on my part.

     

    I will wait until it is actually fixed and I don't have to do any cludged steps or invent some rube-goldberg machine just to get it to work.  Thank you for the input though.

     

    Terry

     

  • 0 in reply to Terry Bennett

    Hi,

    actually i dont think this will be fixed. Those are steps which are needed, if you will do the update to V17. 

    If you do a "scratch installation" on v17, there should not be any issues. 

    actually i have X IPsec Tunnels working fine in V17.1 without any issue. 

    Please keep in mind, V16 will go "End of Life" sometimes. 

  • 0 in reply to Terry Bennett

    Appreciate you responding Terry so quickly. Yeah I had our SSL-VPN configuration work out of Hong Kong and had one session of IPSec work in Dongguan but the next morning nothing. What is ticking me off our client visits our location and his IPSec works all the time ( The client who are using a CheckPoint system back home. ) Making me look bad.