I have two branch offices running XGS107's and a head office running XG210. I also have another ipsec vpn to a sister agency that works fine. About 24 hours after I bring up the second branch office, the first one is dropped, says authentication failure. I reenter the preshared key on both the head office and branch office and it starts working again. Then about 24 hours later the other branch office is dropped. What is going on? I am using different preshared keys for each branch office. Should they be the same? If so, why is the sister agency not affected? The logs below are from the headoffice router. I will need to go on-site to get access to the logs on the remote router logs since they aren't made available through the web interface or sophos central, or at least I can't find them.
strongswan.log file excerpts:
2023-03-08 18:16:41Z 29[CFG] <Station13-1|36759> selected peer config 'Station13-1'
2023-03-08 18:16:41Z 29[IKE] <Station13-1|36759> tried 2 shared keys for 'ST11b' - 'ST13', but MAC mismatched
2023-03-08 18:16:41Z 29[DMN] <Station13-1|36759> [GARNER-LOGGING] (child_alert) ALERT: Couldn't authenticate the remote gateway. Check the authentication settings on both devices.
2023-03-08 18:16:41Z 29[ENC] <Station13-1|36759> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2023-03-08 18:16:41Z 29[NET] <Station13-1|36759> sending packet: from X.X.97.162[4500] to X.X.206.150[8534] (96 bytes)
charon.log file excerpts:
2023-03-08 18:16:40Z 13[NET] <36759> received packet: from X.X.206.150[8515] to X.X.97.162[500] (1446 bytes)
2023-03-08 18:16:40Z 13[ENC] <36759> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2023-03-08 18:16:40Z 13[IKE] <36759> 174.246.206.150 is initiating an IKE_SA
2023-03-08 18:16:40Z 13[IKE] <36759> remote host is behind NAT
2023-03-08 18:16:40Z 13[ENC] <36759> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2023-03-08 18:16:40Z 13[NET] <36759> sending packet: from X.X.97.162[500] to X.X.206.150[8515] (242 bytes)
2023-03-08 18:16:41Z 29[NET] <36759> received packet: from X.X.206.150[8534] to X.X.97.162[4500] (464 bytes)
2023-03-08 18:16:41Z 29[ENC] <36759> parsed IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2023-03-08 18:16:41Z 29[CFG] <36759> looking for peer configs matching X.X.97.162[ST11b]...X.X.206.150[ST13]
2023-03-08 18:16:41Z 29[CFG] <Station13-1|36759> selected peer config 'Station13-1'
2023-03-08 18:16:41Z 29[IKE] <Station13-1|36759> tried 2 shared keys for 'ST11b' - 'ST13', but MAC mismatched
2023-03-08 18:16:41Z 29[DMN] <Station13-1|36759> [GARNER-LOGGING] (child_alert) ALERT: Couldn't authenticate the remote gateway. Check the authentication settings on both devices.
2023-03-08 18:16:41Z 29[ENC] <Station13-1|36759> generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
2023-03-08 18:16:41Z 29[NET] <Station13-1|36759> sending packet: from X.X.97.162[4500] to X.X.206.150[8534] (96 bytes)
This thread was automatically locked due to age.
