Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 2450 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple IPsec Gateways with different PSK

Tom Altmann

Hallo Community,

I am fairly new to the world of Sophos and I started with setting up an Firewall XG (SFOS 18.0.3 MR-3) for my extended home network. As I have multiple locations with VPN-Clients and different rules how they use my services I set up multiple IPsec gateways with different settings. But since all VPN-Clients are behind dynamic NAT-IPs, all gateway have the same local listen address and an %any as remote.

If I set up a PSK for one gateway, the settings are applied and connection is possible. If I try to set up a different PSK for another gateway, the settings are applied and I am able to connect too BUT the PSK from the first gateway is overwritten by the new settings. This happens to all PSKs for any gateway since there all have the same local address for listening and an * as remote address.

I have already read this Post since this is exactly the same issue I have too: https://community.sophos.com/products/xg-firewall/f/vpn/85051/pre-shared-keys-changing

My question here is: Is there any other solution for this without to set a specific remote address?

Thank you!



This thread was automatically locked due to age.
Parents
  • 0

    Hi ,

    Tom Altmann said:
    If I try to set up a different PSK for another gateway, the settings are applied and I am able to connect too BUT the PSK from the first gateway is overwritten by the new settings.

    Does the same issue applies with digital certificates for each IPsec Tunnel ?

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

  • 0 in reply to Prism

    After I set up a certification authority and issued certificates for all members, it turns out that the behavior described above is not a problem at all. It is okay for me since I wanted to replace the PSK authentication by certificate based authentication anyway. But in my opinion the described behavior above ist not useful and I would interested in finding a solution to this further.

  • 0 in reply to Tom Altmann

    I believe this is not a issue of Sophos XG itself, but It's from the underlying software that doesn't support this. (StrongSwan)

    By reading the mailing lists, I believe if you create two IPsec tunnels with PSK - and "*" as the gateway, and set up both Local & Remote ID you won't have this issue anymore.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Reply
  • 0 in reply to Tom Altmann

    I believe this is not a issue of Sophos XG itself, but It's from the underlying software that doesn't support this. (StrongSwan)

    By reading the mailing lists, I believe if you create two IPsec tunnels with PSK - and "*" as the gateway, and set up both Local & Remote ID you won't have this issue anymore.

    Thanks!

    If a post solves your question use the 'Verify Answer' button.

    XG 115w Rev.3 8GB RAM v19.5 MR1 @ Home.

Children
  • 0 in reply to Prism

    I was really digging for the cause of this behavior in the logs and StrongSwan config files. It seams that it is not a StrongSwan issue.

    Of cause the tunnels had the "*" as gateway but all had different local- and remote IDs. Sophos XG writes a line on top within all the secrets-files for every connection with listen interface IP and "*" as credentials. If you update any PSK all this secrets-files get the same line and the same PSK. After that line an additional line is defined for the local- and remote ID of that connection but the PSK is the same.

    I think there would be no issue at all if the specific secrets-files where only based by local- and remote ID.

    If you using certificates that first line will not appear.

    Thank you too! 

  • 0 in reply to Tom Altmann

    It is actually quite easy: In IPsec, you have SAs, which will be build up for each tunnel. As you move towards a Wildcard tunnel, you cannot difference between two different tunnel configs. 

    Tunnel A has PSK 1

    Tunnel B has PSK 2

    If you give XG the option to know, which Source will use Tunnel A Config, it can use PSK1. But if XG has two Wildcard tunnel configs, those configs will mix up and XG cannot know, which tunnel needs which PSK.

    There are solutions (like UTM), which workaround this with something like PSK Probing. This is not a standard by any means and not implement into XG. 

    There is a way to resolve this, as you already stated. You can difference those tunnels by using the identifies. (Remote / local identifies). But this is not implemented in XG right now. 

    The main question would be: As XG moves towards Routebased VPN: Wildcard certificates is not supported in this technique. So if you want to integrate RB tunnels, you need to rethink this and maybe move to DDNS solutions. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thank you for your reply!

    I understand that and I have an idea how XG works with it. But it is a bit strange that the given task can easily be done by a pure StrongSwan implementation on linux as I already did that many times before. Anyway... I moved on to certificate based authentication and this works for me pretty well. 

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?