Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2069 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN

nayah

Hello members,

I am sharing this post in the community hoping to find help with an IPSEC VPN connection issue that we still cannot determine the cause of.

This is the topology, on our side we have an XG 340 as a firewall and on the client side they have a Fortigate (I don't know which version it is).

We have a 10.2.160.x / 24 subnet configured as a local subnet on the XG, and on the client side they have 5 machines as a subnet remote.

The concern that at some random time one or two of these remote Hosts become unreachable from our local 10.2.160.x / 24 subnet. Below are the related logs when we try to reach him. What is weird for me, when we restart the VPN on our side, they become reachable again.

If anyone could give me any suggestion on this problem I am taking it.

PS: I changed the personal information in the log due to security.

2021-08-09 12:26:14 11[IKE] <VPN_XXX-1|471> generating INFORMATIONAL_V1 request 3206003903 [ HASH N(DPD) ]
2021-08-09 12:26:14 11[NET] <VPN_XXX-1|471> sending packet: OUR_PUBLIC_IP[500] to THEIR_PUBLIC_IP[500] (108 bytes)
2021-08-09 12:26:15 12[NET] <VPN_XXX-1|471> received packet: from THEIR_PUBLIC_IP[500] to OUR_PUBLIC_IP[500] (108 bytes)
2021-08-09 12:26:15 12[ENC] <VPN_XXX-1|471> parsed INFORMATIONAL_V1 request 563907384 [ HASH N(DPD_AC



This thread was automatically locked due to age.
Parents
  • 0 in reply to dirkkotte

    the same line is always displayed when the remote machine is not reachable

    2021-08-10 10:08:50 16[NET] <VPN_DPD-1|521> received packet: from 212.23.168.174[500] to 41.204.124.130[500] (92 bytes)
    2021-08-10 10:08:50 16[ENC] <VPN_DPD-1|521> parsed INFORMATIONAL_V1 request 2378267188 [ HASH N(INVAL_SPI) ]
    2021-08-10 10:08:50 16[IKE] <VPN_DPD-1|521> informational: received INVALID_SPI error notify
    2021-08-10 10:08:55 27[NET] <VPN_DPD-1|521> received packet: from 212.23.168.174[500] to 41.204.124.130[500] (92 bytes)
    2021-08-10 10:08:55 27[ENC] <VPN_DPD-1|521> parsed INFORMATIONAL_V1 request 1564785966 [ HASH N(INVAL_SPI) ]
    2021-08-10 10:08:55 27[IKE] <VPN_DPD-1|521> informational: received INVALID_SPI error notify
    2021-08-10 10:08:57 05[NET] <VPN_DPD-1|521> received packet: from 212.23.168.174[500] to 41.204.124.130[500] (92 bytes)
    2021-08-10 10:08:57 05[ENC] <VPN_DPD-1|521> parsed INFORMATIONAL_V1 request 3865066486 [ HASH N(INVAL_SPI) ]
    2021-08-10 10:08:57 05[IKE] <VPN_DPD-1|521> informational: received INVALID_SPI error notify
    2021-08-10 10:08:59 15[NET] <VPN_DPD-1|521> received packet: from 212.23.168.174[500] to 41.204.124.130[500] (92 bytes)
    2021-08-10 10:08:59 15[ENC] <VPN_DPD-1|521> parsed INFORMATIONAL_V1 request 2090051699 [ HASH N(INVAL_SPI) ]
    2021-08-10 10:08:59 15[IKE] <VPN_DPD-1|521> informational: received INVALID_SPI error notify
    2021-08-10 10:09:01 13[NET] <VPN_DPD-1|521> received packet: from 212.23.168.174[500] to 41.204.124.130[500] (92 bytes)
    2021-08-10 10:09:01 13[ENC] <VPN_DPD-1|521> parsed INFORMATIONAL_V1 request 3925680572 [ HASH N(INVAL_SPI) ]
    2021-08-10 10:09:01 13[IKE] <VPN_DPD-1|521> informational: received INVALID_SPI error notify

  • 0 in reply to nayah

    Are you sure you are not connected at the moment?

    I would think these messages were related to rekeying issues ... while connected. (Possibly the negotiated timers don't match)

    ...and these messages look very different from the ones reported first

  • 0 in reply to dirkkotte

    I have just deactivated the DPD (dead peer detected) option on the sophos which apparently does not exist on portigate.

    After this modification I restarted the VPN, and the remote hosts are currently all reachable.

    Worry what at a truly random moment, one or two of these remote hosts become unreachable. This is what really breaks my head

  • 0 in reply to dirkkotte

    Despite the deactivation of the DPD parameter, the problem still persists.

    I always receive the same log. Can someone explain to me what this log is all about.

    2021-08-11 10:36:25 11[NET] <VPN_DPD-1|580> received packet: from PUBLIC_IP_REMOTE[500] to PUBLIC_IP_LOCAL[500] (108 bytes)
    2021-08-11 10:36:25 11[ENC] <VPN_DPD-1|580> parsed INFORMATIONAL_V1 request 2420933925 [ HASH N(DPD) ]
    2021-08-11 10:36:25 11[ENC] <VPN_DPD-1|580> generating INFORMATIONAL_V1 request 2602844757 [ HASH N(DPD_ACK) ]
    2021-08-11 10:36:25 11[NET] <VPN_DPD-1|580> sending packet: from PUBLIC_IP_LOCAL[500] to PUBLIC_IP_REMOTE[500] (108 bytes)
    2021-08-11 10:36:26 17[NET] <VPN_DPD-1|580> received packet: from PUBLIC_IP_REMOTE[500] to PUBLIC_IP_LOCAL[500] (92 bytes)
    2021-08-11 10:36:26 17[ENC] <VPN_DPD-1|580> parsed INFORMATIONAL_V1 request 3156681778 [ HASH N(INVAL_SPI) ]
    2021-08-11 10:36:26 17[IKE] <VPN_DPD-1|580> informational: received INVALID_SPI error notify

  • 0 in reply to nayah

    I have moved this thread to the XG Community.

    Cheers - Bob

  • FormerMember
    0 FormerMember in reply to nayah

    Hi ,

    What is the phase 1 and phase 2 key life value on both firewalls? Which site is configured to start the connection? 

    Thanks,

  • 0 in reply to FormerMember

    the key life of the phase 1 and Phase 2 is a same. Configured in 28800 

    And on the sophos, the Gateway type parameter is configured as "Initiate the connection"

  • FormerMember
    0 FormerMember in reply to nayah

    Hi ,

    We need to compare the configured policies side by side. Would it be possible for you to send the screenshots from both firewalls via personal message? 

    Thanks,

  • 0 in reply to FormerMember

    Hi, sorry if it is now that I have time to answer you because I was taken by other subject.

    For your request, we do not have access to the fortiget since it is another entity that manages it.

    We will try to see with them the configurations on both sides and I will follow up.

  • 0 in reply to nayah

    At each renegotiation, XG Firewall gateway deletes the old IKE SA. While rekeying, packets with the old SPI are sent from a  remote end Fortigate gateway to the XG Firewall gateway.

    Although the XG Firewall gateway receives those packets, it no longer has a valid SPI for them, and it sends the 'Invalid IKE SPI' notify payload.

    It would be great if we can keep XG Firewall as initiator mode and keep the Fortigate as respond only mode.

Reply
  • 0 in reply to nayah

    At each renegotiation, XG Firewall gateway deletes the old IKE SA. While rekeying, packets with the old SPI are sent from a  remote end Fortigate gateway to the XG Firewall gateway.

    Although the XG Firewall gateway receives those packets, it no longer has a valid SPI for them, and it sends the 'Invalid IKE SPI' notify payload.

    It would be great if we can keep XG Firewall as initiator mode and keep the Fortigate as respond only mode.

Children