Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 5992 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC VPN goes down and doesn't renegotiate

David Babiano Rodriguez

Hi to all,

We have a customer who has a Sophos XG 210 with SFOS 17.5.3 MR3. This client has 5 FTTH with a LAG interface as WAN interface. We have configured an IPSEC tunnel with only one FTTH to monitor his network.

All goes fine, but the tunnel goes down every day (we think the client switch down the power), and the tunnel doesn't goes up never more... We have to delete the tunnel, wait a minutes and add a new tunnel. Then the tunnel goes up and we have communication with the client network.

We have a Fortigate in our site, and we can see how the firewall tries to connect the VPN but the negotiation finishes with a timeout error in both sides.

Somebody knows why the firewalls doesn't reconnect the tunnel??? We have others clients with Sophos in its side and the tunnel doesn't go down. Maybe a bug in SFOS??? Or a problem with the LAG interface???

Thanks in advance for your help.

David.



This thread was automatically locked due to age.
Parents
  • FormerMember
    +1 FormerMember

    Hi David,

    I would suggest to check the StrongSwan logs for the event when the VPN tunnel went down.

    In XG Advanced Shell, /log/strongswan.log is for the VPN connections. By viewing this log file with the event timestamp, you should be able to see some clues for the VPN disconnection.

    Furthermore, you could enable strongswan debug mode to get more information in strongswan.log for the event -

     service strongswan:debug -ds nosync

    And please use the the same command to turn off the debug mode. 

  • 0 in reply to FormerMember

    Hi Captain_A,

    I've been checking the strongswan.log, I can see this:

    2020-05-11 08:30:07 27[NET] <3902> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (448 bytes)
    2020-05-11 08:30:07 27[ENC] <3902> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    2020-05-11 08:30:07 27[IKE] <3902> X.X.X.X is initiating an IKE_SA
    2020-05-11 08:30:07 27[IKE] <3902> local host is behind NAT, sending keep alives
    2020-05-11 08:30:07 27[ENC] <3902> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
    2020-05-11 08:30:07 27[NET] <3902> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (224 bytes)
    2020-05-11 08:30:27 05[IKE] <3902> sending keep alive to X.X.X.X[500]
    2020-05-11 08:30:37 29[JOB] <3902> deleting half open IKE_SA with X.X.X.X after timeout
    2020-05-11 08:30:37 29[DMN] <3902> [GARNER-LOGGING] (child_alert) ALERT: IKE_SA timed out before it could be established
    2020-05-11 08:30:37 18[NET] <3903> received packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (448 bytes)
    2020-05-11 08:30:37 18[ENC] <3903> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
    2020-05-11 08:30:37 18[IKE] <3903> X.X.X.X is initiating an IKE_SA
    2020-05-11 08:30:37 18[IKE] <3903> local host is behind NAT, sending keep alives
    2020-05-11 08:30:37 18[ENC] <3903> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(MULT_AUTH) ]
    2020-05-11 08:30:37 18[NET] <3903> sending packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (224 bytes)
    2020-05-11 08:30:57 17[IKE] <3903> sending keep alive to X.X.X.X[500]
    2020-05-11 08:31:07 28[JOB] <3903> deleting half open IKE_SA with X.X.X.X after timeout
    2020-05-11 08:31:07 28[DMN] <3903> [GARNER-LOGGING] (child_alert) ALERT: IKE_SA timed out before it could be established

    (Y.Y.Y.Y - Sophos device; X.X.X.X - Fortigate device)

    The devices keeps negotiating the phase1 all the time but it doesn't goes up, seems as if some service has blocked in the firewall...
    Now, I've deactivated the VPN I've been waiting for a while and activate it once. The VPN has go up without changing anything in the VPN config.

    We have got redirected all the traffic in the ISP  router to the firewall but the WAN IP address is in the ISP router. Could be this config doesn't like to the firewall?? 

    Some idea more about this???

    Thanks in advance.

    David.

  • +2 in reply to David Babiano Rodriguez

    Hello  

    It appears that there are DPD settings that are not set/working correctly on either end.

    It also appears that you are running a double NAT on the IPsec tunnel.

    Please ensure that you use IKEv2 as it has better support for double NAT.  Please ensure that ALL ports/services are forwarded from the NAT'ted device to the XG.

    For your IPsec policy ensure that if your XG is set for "initiate", that DPD settings are set for "re-connect".  However if your connection is set to "Respond", then DPD settings should be "Disconnect".  Please make sure that only 1 side is initiating the connection.  This can causes issues with SPI negotiations. 

    Also check to see that your MSS/MTU values are set correctly between ISP and XG.

    Have a look at these articles for some support:

    https://community.sophos.com/kb/en-us/123140

    https://community.sophos.com/kb/en-us/123293

    Thanks!

Reply
  • +2 in reply to David Babiano Rodriguez

    Hello  

    It appears that there are DPD settings that are not set/working correctly on either end.

    It also appears that you are running a double NAT on the IPsec tunnel.

    Please ensure that you use IKEv2 as it has better support for double NAT.  Please ensure that ALL ports/services are forwarded from the NAT'ted device to the XG.

    For your IPsec policy ensure that if your XG is set for "initiate", that DPD settings are set for "re-connect".  However if your connection is set to "Respond", then DPD settings should be "Disconnect".  Please make sure that only 1 side is initiating the connection.  This can causes issues with SPI negotiations. 

    Also check to see that your MSS/MTU values are set correctly between ISP and XG.

    Have a look at these articles for some support:

    https://community.sophos.com/kb/en-us/123140

    https://community.sophos.com/kb/en-us/123293

    Thanks!

Children
  • 0 in reply to KingChris

    Hi KingChris,

     

    the DPD is disabled because I thought that the problem came for this. Since the DPD is disabled, the VPN doesn't go down........

    The VPN was configured with IKEv2 and the Sophos was configured for initiate the negotiation too. Then this was configured properly.

    Now, I've enabled the DPD in the Sophos side and i've disabled in the Fortigate side the auto negotiation to leave this side as a responder only, the Fortigate has the DPD disabled. I think the problem is, as you said, the two sides configured as a initiater side... I will see if this works fine...

    Thanks for all!!

    David