Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 2250 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec VPN site-to-site does not reconnect after reboot

Andrej Pirman

Hi,

where can I configure Site-to-Site VPN on XGS client (initiate connection side) to establish connection after reboot or after upgrade? I've gone through all VPN settings many times and cannot find any setting, which would mean to me "auto connect" or something like this.

I have XGS-136 with UTM 18.5.2 MR-2-Build380.

Idea?



This thread was automatically locked due to age.
  • 0

    I think this is happening automatically from the rebooted / updated client. Or do you mean a reboot of the "server" side?
    Can't remember that I had to restart this. Hovever I sometimes see issues that the "inside" tunnel / SA is not coming up or loosing some connections.

  • 0 in reply to BerndFeist

    Well, XGS in my case is client, as it is initiating connection. Found in logs a lot of:

    received IKE message with invalid SPI (32B7866C) from other side

    Weird...
    I lookup into config and my surprise, IPSec Policy was set almost every parameter wrong. SHA1 instead of AES in both phases, then DH2 instead of DH21 and so on. I have no idea where wrong parameters came from...

    So, I set them as they should be and it looks not up and running without problems. Funny technology... :) 

  • 0 in reply to Andrej Pirman

    Hi Andrej Pirman 

    Please try and  check the issue with the below setting and verify tunnel is coming up automatically or not : 

    At Headoffice Firewall set Gateway type as Response only  and apply IKEv2 Policy : 

    At Branch Office Firewall set  Gateway type as initiate the connection and apply IKEv2 Policy :  

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi , thank you, but looks like entering correct IKE Phase 1 and 2 parameters did the trick. I don't know ho those got changed, but as soon as I changed them to match the other side, VPN went UP and is running smooth.

  • 0

    Another VPN Site-to-Site was up for 2 weeks, then one side power failed, and after comming back up does not only fail to re-connect automatically, but will not connect at all! LOG is just saying, IPSec could not connect or something like this.

    WEIRD: 2 days later connected without a problem!!!???

    What's going on? How do you suggest to diagnose?

  • 0 in reply to Andrej Pirman

    Hi Andrej Pirman 

    Both the site you have Sophos XG Firewall?

    Please share the IPSec VPN policy you have applied on each site?

    What you have set Gateway type where there was power failure? What is the current firmware Sophos XG ?

    Please share the above information with a snapshot 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    No, this 3 locations have Draytek 2926 on site 1 and 3, while location 2 has XGS-136:

    • VPN from 2 to 1 works fine.... except once every 2 months does not reconnect after some failure.
    • VPN from 2 to 3 works OR does not work, depending. One week works, another week does not connect at all despite of numerous manual retries and reboots. The day later it connects just fine.
    • IPSec Policy is THE SAME for both VPN connections
    • Gateway tape is "Initiate Connection" on both VPN connections
    • Also VPN parameters on both Drayteks are exactly the same, same PSK also

  • 0 in reply to Andrej Pirman

    Hi Andrej Pirman

    Suspecting issue with IPSec VPN Policy at Draytek router.

    Can you share the VPN Policy configure at the Draytek router?

    Please check the logs with the below command if IPsec VPN is not getting established 

    console>tcpdump 'host <static public IP of Draytek router> and port 500 

    console>dr  'host <static public IP of Draytek router> and port 500 

    console> show vpn IPSec-logs

    tail -f /log/strongswan.log

    Please refer the link : https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/123740/sophos-xg-firewall-troubleshooting-site-to-site-ipsec-vpn-issues 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?