IPSEC VPN UTM to XG does not reconnect automatically

Question

Morning All, 
 I've setup an IPSEC VPN between a UTM installation and a XG installation. Everything works fine once I press the "connect" circle on the VPN tab in XG, but if the line breaks, the connection will not re-establish unless I press the "connect" circle again. 
 In UTM, this process is easy and automatic - not so it seems in XG. What do I need to set on the XG to get this to work? I've tried setting "action on restart" to respond only and initiate, but no joy. I've also made sure the policy I'm using has "action when peer unreachable" set to "reinitiate". 
 Can anyone point me in the right direction please? 
 Many thanks.

Shaun Raven · Accepted Answer

OK - for the record, here's what I found. 
 The "Enable probing of pre-shared keys" was a red herring. The culprit turned out to be a mixutre of the VPN policy used, and the "Action on VPN restart" setting. I initially used "AES128_MD5" as the policy and "respond only" as the action setting, as that's what was indicated by research into the documentation and forums. This setup did indeed require UTM to have "enable probing of pre-shared keys" to be set for the VPN to re-establish. 
 However, once I'd set the vpn policy to "DefaultBranchOffice" and the action setting to "initiate", I no longer needed to set "enable probing of pre-shared keys" on the UTM, and the VPN was able to reconnect fully automatically. This setup worked on both versions of the firmware release tested. 
 As a side note, this setup also worked behind a NAT router :) - Happy days!

CMR · Answer

We have the same setup and I ended up setting the XG to respond and the UTM to initiate. This configuration has been working perfectly for a year or so with XG v15 > v16.01.2 and UTM being kept up to date. I haven't yet tried it with XG v16.05 
 Cheers, 
 Charles

Shaun Raven · Answer

Thanks Andrew, 
 That actually helps quite a bit. I've found that if I set that option in the "Advanced" section of the UTM's IPSEC settings, I can get the connection to re-establish, both on line failure and on XG reboot, provided I set the XG VPN settings to "DefaultBranchOffice" policy and the connection to "re-initiate". 
 Now, to see if I can get this setup working behind a NAT-ed Router... :)

Aditya Patel · Answer

HI Shaun, 
 Could you upgrade to 16.05 GA and check if this would sort out your issue with VPN .