Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 16213 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Pre-shared Keys Changing

DavidPeterson

Sorry I originally posted in wrong section.

One bit of bad behavior I've seen in V16, and got burned on again today, is that if you change a key in one tunnel, it also changes the key in any other tunnel using the same key.  It is common to use the same key on multiple tunnels and every other firewall keeps them separate.  I'm not sure how the XG keeps them separate when they're different, but not when they're the same.  When you save the change you get a pop-up saying "This will update the preshared key of all connections configured between the same local and remote peers.  Are you sure you want to continue?"  Maybe I'm dense, but I read that to mean any extra connections to the same site.  All I know is changing one tunnel has been taking down others that had the same key - not nice.  When you view the key of the downed tunnel it is indeed the key you made for the other tunnel.  This has got to be a bug.



This thread was automatically locked due to age.
Parents
  • 0

    HI David ,  

    Which device is at the remote end ? 

    Did you  try to disable PFS on both end and try again ?

    Any common route/host/Gateway with another tunnels ?

    COuld you provide more info by sharing the configuration and I may check from my end and update you further.

  • 0 in reply to Aditya Patel

    This is the hub device, an XG135 V16.0.1, so has itself as the common gateway for all tunnels.  All the remotes are XG105s, V16.0.2, except for the one last PIX 501 site.  Most of the sites have static public IPs, therefor the remote IP is different, yet they experienced the problem.  The sites with the PIX 501 it just happened to does have a * has its endpoint address since it is dynamic, but the site I changed it for that brought it down had a specific remote endpoint.  The PIX site does not have PFS specified for Phase 2.

Reply
  • 0 in reply to Aditya Patel

    This is the hub device, an XG135 V16.0.1, so has itself as the common gateway for all tunnels.  All the remotes are XG105s, V16.0.2, except for the one last PIX 501 site.  Most of the sites have static public IPs, therefor the remote IP is different, yet they experienced the problem.  The sites with the PIX 501 it just happened to does have a * has its endpoint address since it is dynamic, but the site I changed it for that brought it down had a specific remote endpoint.  The PIX site does not have PFS specified for Phase 2.

Children
No Data