Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 700 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SFOS 18.0.5 and 18.5.1 Policy-Based IPsec to Checkpoint R80.40: error when adding network to remote IP network list

AlexanderPoettinger

We are having a very strange behaviour when trying to expand the network list of an IPsec policy-based VPN to a Checkpoint firewall.

We have 5 networks on the Lokal Subnet Sophos side of the VPN and 19 networks on the Remote Subnets Checkpoint side.

If we add another network on the Remote Subnet list (that has already been configured into the Checkpoint VPN configuration) the entire IPsec goes haywire.

No stable connection is beeing created. The routings for the subnets are created and disconnected continuosly.

The entire IPsec connection becomes unstable.

It cannot be stopped but remains stuck. Only restarting the entire VPN service through console brings it down.

In case there was a problem with this particular network, we tried inserting a fictional network into the remote list. It resulted into the exact same behaviour.

We also deleted the entire IPsec configuration and recreated it from scratch. Same problem. The moment we add this network (any other network) things go haywire.

P.S. establishing a routing-based IPsec (which would solve all the problem) is not an option as the checkpoint administrator won't have it.



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi Alexander, Thanks for reaching out to Sophos Community.

    Are you not able to connect IPSec at all after adding the network in remote networks or it gets connected but randomly subnets are getting disconnected?

    Are there any other IPSec tunnels on the device? and do they have issues or just this one tunnel?

    Can you take ssh access and check the log file --> /log/strongswan.log. Grep the tunnel name if there are multiple tunnels.

  • 0 in reply to FormerMember

    Good morning Davesh,

    thanks for the fast answer.

    I get a connection, but the networks are beeing randomly connected and disconnected.
    As soon as I take that one network out and restart the VPN Services everything gets back to normal.

    There are other IPsec tunnels configured.
    Those are not affected by the problem.

    I tried downloading the log, but there are so many log entries both in the main log and in the archive, that the relevant entries had already been overwritten.

    I've requested another test with the customer.
    I've got to get an OK from them, as the test disrupts a lot of live connections.

  • FormerMember
    0 FormerMember in reply to AlexanderPoettinger

    Alright, You can dump all the logs in a file and share it to me via DM :) 

  • 0 in reply to FormerMember

    Have sent you the links for the logs through the private message system

Reply Children
No Data