IPsec Connection down

In remote office Firewall logs I see

"parsing IKE message from xxxx.xxxx.xxxx.xxxx[500] failed"

Yes, seems Port 500 is blocked or not allowed from the remote end ISP router configuration

Regards

Thank you  for response, I'm going to allow port UDP500 and UDP4500 for remote offices; but I don't understand why no problem with zyxel at head office.

Is it for tunnel between Sophos xgs116 (SFOS 19.0.1 MR-1-Build365)  and Sophos XG85 (SFOS 17.5.17 MR-17-Build837) ?or with Sophos xgs116 (SFOS 19.0.1 MR-1-Build365) and  2 Fritzbox.?

Issue might be with Default policy 

Regards

Hello, just an update. I checked all my configuration and find only 2 router with UDP port blocked. At this time my vpn are up with IKEv2 profiles. Resolved at this moment the fritzbox problem but randomly the vpn goes down.

Now I'm searching to set IPSEC with RSA as in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122440/best-practice-for-site-to-site-policy-based-ipsec-vpn but the XG85 don'activate the connection

malachite said:

Now I'm searching to set IPSEC with RSA as in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122440/best-practice-for-site-to-site-policy-based-ipsec-vpn but the XG85 don'activate the connection

Try this link: https://support.sophos.com/support/s/article/KB-000035717?language=en_US 

The error is "All the connections shared between end points must have the same authentication methods and credentials"

The error is "All the connections shared between end points must have the same authentication methods and credentials"

Please show us screenshots of your tunnel definitions in HQ and branch office. You could obfuscate parts of the IPs for security reasons.

I show you the VPN configuration between the main office (HO_1) and one of the secondary offices (BO_1). The configuration is the same for the other secondary offices where the Sophos XG85 is located.
At this moment the vpn connection is established correctly but I encounter two problems:
1) if the VPN falls it does not go up; I am forced to change the Preshared key to manually re-establish the Tunnel
2) if I change the authentication method from Preshared key to RSA key
on the secondary office device I cannot activate the connection and I receive the error previously reported ("All the connections shared between end points must have the same authentication methods and credentials")

What are your settings for local ID and Remote ID?

Hello, I managed to set up 7 vpn connections between main office sophos xgs and remote office sohpos xg using Rsa Key and not a PSK as authentication method.

The vpn connections with the two Fritzboxes seem stable now.

There remains a vpn connection with a zyxel that I just can't pull up

Hi malachite Please check Logs from SSH with options 4 and 5>3 for IPsec troubleshooting and most common errors as per the below link: 

https://support.sophos.com/support/s/article/KB-000038566?language=en_US 

https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/123740/sophos-xg-firewall-troubleshooting-site-to-site-ipsec-vpn-issues 

console>tcpdump 'host <Public IP of remote router>  (to check communication on port 500 with Sophos XG and remote end router)

example console>tcpdump 'host  xx.xx.xx.xx

console>dr 'host <Public IP of remote router> (to check any drop if no drop on console no issue with Sophos XG)

example  console>dr host  xx.xx.xx.xx

Share the feedback or suspicious logs.

Thanks and Regards