Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 2 answers
  • Subscribers 27 subscribers
  • Views 760 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Tunnel modification - tunnels is always disconnected afterwards

LHerzog

XG or XGS with SFOS 19.0.1 is IPSec Site-to-Site Tunnel initiator. The other side is responder.

Issue:

Whenever I change the IPSec connection e.g. add a host or network object, change something in the securitysettings, the tunnel will terminate and not recover itself. It becomes "red".

Of course I change it on both sides - first on the XG as initiator so I do not cut off my management connection to the machine, then on the responder.

I need to connect to the remote site over backdoors or Sophos Central and re-activate the tunnel.

Why can't the machine do this itself after the change of the tunnel. It's totally senseless to me that is just fails and then sits in that failed state until an admin manually comes remote and click on the connect button.

This issue is known to me since I manage XG (SFOS 17.5) and nothing new.

Are there plans to change this?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Vivek Jagad

    it is IKEv1 as remote responder is the Sophos UTM.

  • 0 in reply to LHerzog

    Ahan ! 
    I would recommend  the use of IKEv2 over IKEv1 and set the Key Negotiation Tries to 0. 
    But unfortunately UTM 9 does not support IKEv2, hence you can not change !

    Such type of issue wouldn't occur if remote site is also configured with XG instead of UTM 9.
    As there are many benefits IKEv2 provides the following benefits over IKEv1.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad

    Thanky for your update but I see no reason why it should depend on IKE. XG should just terminate and reconnect after the change. But this is something it does'nt. Why does it work when I only click on connect? That is what the machine logic should do.

  • 0 in reply to LHerzog

    IKEv2 is more reliable as all message types are defined as Request and Response pairs, IKEv2 has Built-in NAT-T functionality which improves compatibility between vendors & IKEv2 has the Keep Alive option enabled as default. Also IKEv2 provide the ability for maintaining a VPN session. 

    When you click on connect, the initiation is began again and hence you are able to connect, where as IKEv2 has a better capability handling such connections. In short as informed above there are various benefits using IKev2 over IKev1 

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Global Support & Services 


    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Vivek Jagad
    Vivek Jagad said:
    there are various benefits using IKev2 over IKev1

    I totally agree. But it seems you see no need for improvement XG behaviour also for IKEv1. That is soemthing I would really like to see.

Unfiltered HTML