Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 16211 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pre-shared Keys Changing

DavidPeterson

Sorry I originally posted in wrong section.

One bit of bad behavior I've seen in V16, and got burned on again today, is that if you change a key in one tunnel, it also changes the key in any other tunnel using the same key.  It is common to use the same key on multiple tunnels and every other firewall keeps them separate.  I'm not sure how the XG keeps them separate when they're different, but not when they're the same.  When you save the change you get a pop-up saying "This will update the preshared key of all connections configured between the same local and remote peers.  Are you sure you want to continue?"  Maybe I'm dense, but I read that to mean any extra connections to the same site.  All I know is changing one tunnel has been taking down others that had the same key - not nice.  When you view the key of the downed tunnel it is indeed the key you made for the other tunnel.  This has got to be a bug.



This thread was automatically locked due to age.
  • 0

    I had the same problem on Cyberoam firewall but I think the point is: if you have 2 tunnels with the same local and remote, then if you change the prashared key to one VPN that key will change in the other tunnel.

    I had 2 tunnel with the same local (obviously) and an * as remote on both and I had the problem. Specifiyng the exact ip adress for both remote peers solved the problem.

  • 0

    HI David ,  

    Which device is at the remote end ? 

    Did you  try to disable PFS on both end and try again ?

    Any common route/host/Gateway with another tunnels ?

    COuld you provide more info by sharing the configuration and I may check from my end and update you further.

  • 0 in reply to Aditya Patel

    This is the hub device, an XG135 V16.0.1, so has itself as the common gateway for all tunnels.  All the remotes are XG105s, V16.0.2, except for the one last PIX 501 site.  Most of the sites have static public IPs, therefor the remote IP is different, yet they experienced the problem.  The sites with the PIX 501 it just happened to does have a * has its endpoint address since it is dynamic, but the site I changed it for that brought it down had a specific remote endpoint.  The PIX site does not have PFS specified for Phase 2.

  • 0

    You're not crazy - I got the same thing!

    I understood it like you did.

    XG230 running  SFOS 16.05.3 MR-3

  • 0 in reply to John Woodall

    Hi , 

    A rough diagram would help and could attach snapshots for configuration done. You may also check by creating a custom policy on both ends and check again.