I'm getting these emails approximately every 8 hours at all my sites and can't figure out what the problem is.
I'm using Digital Certificates (2048) following Sophos instructions on copying the CA and SSC to the XG units so we can use certificates.
In VPN Policy, I set a custom one to use AES128/SHA256 for Phase 1 and Phase 2. Using Main Mode and allow re-key checked.
Phase 1 has a lifetime of 28800, a rekey of 900, and a margin of 0. It uses DH14. DPD enabled.
Phase 2 has a lifetime of 3600.
I originally started with 120 seconds for rekey but tried 900 to see if I'd have any better luck. CPU usage never passes 40% during rekey.
Here's some logs from IPsec.log
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: responding to Main Mode
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: STATE_MAIN_R1: sent MR1, expecting MI2
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: STATE_MAIN_R2: sent MR2, expecting MI3
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: Main mode peer ID is ID_USER_FQDN: 'certificate@example.com'
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: digest algorithm not supported
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: invalid certificate signature from "C=US, ST=St, L=City, O=Example Company, Inc., OU=OU, CN=Sophos_CA_C3303201Y6AV9XH, E=something@example.com" on "C=US, ST=St, L=City, O=Example Company, Inc., OU=Division, CN=Sophos_CA_C3303201Y6AV9XH, E=something@example.com"
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: X.509 certificate rejected
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: no suitable connection for peer 'certificate@example.com'
Sep 15 23:46:11 "MY-VPN-TUN_1-1" #349: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:500
Sep 15 23:46:21 "MY-VPN-TUN_1-1" #349: Main mode peer ID is ID_USER_FQDN: 'certificate@example.com'
Sep 15 23:46:21 "MY-VPN-TUN_1-1" #349: digest algorithm not supported
Sep 15 23:46:21 "MY-VPN-TUN_1-1" #349: invalid certificate signature from "C=US, ST=St, L=City, O=Example Company, Inc., OU=OU, CN=Sophos_CA_C3303201Y6AV9XH, E=something@example.com" on "C=US, ST=St, L=City, O=Example Company, Inc., OU=Division, CN=Sophos_CA_C3303201Y6AV9XH, E=something@example.com"
Sep 15 23:46:21 "MY-VPN-TUN_1-1" #349: X.509 certificate rejected
Sep 15 23:46:21 "MY-VPN-TUN_1-1" #349: no suitable connection for peer 'certificate@example.com'
Sep 15 23:46:21 "MY-VPN-TUN_1-1" #349: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:500
Sep 15 23:46:41 "MY-VPN-TUN_1-1" #349: Main mode peer ID is ID_USER_FQDN: 'certificate@example.com'
Sep 15 23:46:41 "MY-VPN-TUN_1-1" #349: digest algorithm not supported
Sep 15 23:46:41 "MY-VPN-TUN_1-1" #349: invalid certificate signature from "C=US, ST=St, L=City, O=Example Company, Inc., OU=OU, CN=Sophos_CA_C3303201Y6AV9XH, E=something@example.com" on "C=US, ST=St, L=City, O=Example Company, Inc., OU=Division, CN=Sophos_CA_C3303201Y6AV9XH, E=something@example.com"
Sep 15 23:46:41 "MY-VPN-TUN_1-1" #349: X.509 certificate rejected
Sep 15 23:46:41 "MY-VPN-TUN_1-1" #349: no suitable connection for peer 'certificate@example.com'
Sep 15 23:46:41 "MY-VPN-TUN_1-1" #349: sending encrypted notification INVALID_ID_INFORMATION to 2.2.2.2:500
Sep 15 23:47:21 "MY-VPN-TUN_1-1" #349: max number of retransmissions (2) reached STATE_MAIN_R2
Sep 15 23:51:20 "MY-VPN-TUN_1-1" #289: received Delete SA payload: deleting ISAKMP State #289
This thread was automatically locked due to age.