IPSEC instability on v17 - using NAT-T port 4500 instead of normal port 500

Question

After upgrading to v17 i've been seeing some instability with IPSEC VPN's. It seems that any sort of network interruption takes the VPN offline and it won't re-establish without manual intervention. 
 I changed to IKE2 after someone on the forums mentioned that it was more stable but I think that made it worse. 
 What i'm seeing is that one end will initially try connecting on port 500, but then go to port 4500 and keep using that. The other end sticks with port 500, so the two never talk to each other. 
 Has anyone else seen anything like this? 
 thanks 
 James

CMR · Accepted Answer

I had the same issues and decided to dump the IPSEC and set up a RED connection, works properly now...

FloSupport · Answer

Hey jamesharper 
 Could you please attempt the following regarding your tunnel re-establishment issue. Verify that your IPsec policy has "0" configured for the Key Negotiation Tries. Is DPD enabled? Are one of your nodes set to initiate, and the other node set to respond only? What entries do you observe in your IPsec log during this disconnection? You could also try to delete the existing IPSec configuration and take SSH access to the XG and go to option 5. Device Console > 3. Advance Console and execute, service strongswan:restart -ds nosync Then create a new IPsec tunnel between the two nodes and monitor. If the tunnels still do not re-establish after a service restart, please DM me the charon.log. Refer to, Sophos Firewall: Where to find log files . 
 Regards, FloSupport | Community Support Engineer