Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 2058 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec VPN

nayah

Hello members,

I am sharing this post in the community hoping to find help with an IPSEC VPN connection issue that we still cannot determine the cause of.

This is the topology, on our side we have an XG 340 as a firewall and on the client side they have a Fortigate (I don't know which version it is).

We have a 10.2.160.x / 24 subnet configured as a local subnet on the XG, and on the client side they have 5 machines as a subnet remote.

The concern that at some random time one or two of these remote Hosts become unreachable from our local 10.2.160.x / 24 subnet. Below are the related logs when we try to reach him. What is weird for me, when we restart the VPN on our side, they become reachable again.

If anyone could give me any suggestion on this problem I am taking it.

PS: I changed the personal information in the log due to security.

2021-08-09 12:26:14 11[IKE] <VPN_XXX-1|471> generating INFORMATIONAL_V1 request 3206003903 [ HASH N(DPD) ]
2021-08-09 12:26:14 11[NET] <VPN_XXX-1|471> sending packet: OUR_PUBLIC_IP[500] to THEIR_PUBLIC_IP[500] (108 bytes)
2021-08-09 12:26:15 12[NET] <VPN_XXX-1|471> received packet: from THEIR_PUBLIC_IP[500] to OUR_PUBLIC_IP[500] (108 bytes)
2021-08-09 12:26:15 12[ENC] <VPN_XXX-1|471> parsed INFORMATIONAL_V1 request 563907384 [ HASH N(DPD_AC



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember in reply to nayah

    Hi ,

    We need to compare the configured policies side by side. Would it be possible for you to send the screenshots from both firewalls via personal message? 

    Thanks,

  • 0 in reply to FormerMember

    Hi, sorry if it is now that I have time to answer you because I was taken by other subject.

    For your request, we do not have access to the fortiget since it is another entity that manages it.

    We will try to see with them the configurations on both sides and I will follow up.

  • 0 in reply to nayah

    At each renegotiation, XG Firewall gateway deletes the old IKE SA. While rekeying, packets with the old SPI are sent from a  remote end Fortigate gateway to the XG Firewall gateway.

    Although the XG Firewall gateway receives those packets, it no longer has a valid SPI for them, and it sends the 'Invalid IKE SPI' notify payload.

    It would be great if we can keep XG Firewall as initiator mode and keep the Fortigate as respond only mode.

  • 0 in reply to NM_1987
    Thank you for your answer which seems very logical to me. I would try to provide these explanations with the IT who manages the fortigate so that we can find a solution. 
  • +1

    Finally we finally solved the problem by subdividing the different destination IPs on several phase 2 on the two peers