Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 8728 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC instability on v17 - using NAT-T port 4500 instead of normal port 500

jamesharper

After upgrading to v17 i've been seeing some instability with IPSEC VPN's. It seems that any sort of network interruption takes the VPN offline and it won't re-establish without manual intervention.

I changed to IKE2 after someone on the forums mentioned that it was more stable but I think that made it worse.

What i'm seeing is that one end will initially try connecting on port 500, but then go to port 4500 and keep using that. The other end sticks with port 500, so the two never talk to each other.

Has anyone else seen anything like this?

thanks

James



This thread was automatically locked due to age.
Parents
  • 0

    Hey  

    Could you please attempt the following regarding your tunnel re-establishment issue.

    Verify that your IPsec policy has "0" configured for the Key Negotiation Tries.
    Is DPD enabled?
    Are one of your nodes set to initiate, and the other node set to respond only?
    What entries do you observe in your IPsec log during this disconnection?

    You could also try to delete the existing IPSec configuration and take SSH access to the XG and go to option 5. Device Console > 3. Advance Console and execute,

    service strongswan:restart -ds nosync

    Then create a new IPsec tunnel between the two nodes and monitor.
    If the tunnels still do not re-establish after a service restart, please DM me the charon.log. Refer to, Sophos Firewall: Where to find log files.

    Regards,

    FloSupport | Community Support Engineer

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Reply
  • 0

    Hey  

    Could you please attempt the following regarding your tunnel re-establishment issue.

    Verify that your IPsec policy has "0" configured for the Key Negotiation Tries.
    Is DPD enabled?
    Are one of your nodes set to initiate, and the other node set to respond only?
    What entries do you observe in your IPsec log during this disconnection?

    You could also try to delete the existing IPSec configuration and take SSH access to the XG and go to option 5. Device Console > 3. Advance Console and execute,

    service strongswan:restart -ds nosync

    Then create a new IPsec tunnel between the two nodes and monitor.
    If the tunnels still do not re-establish after a service restart, please DM me the charon.log. Refer to, Sophos Firewall: Where to find log files.

    Regards,

    FloSupport | Community Support Engineer

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Children
Cookie Information Banner