IPSEC Dropping daily

the go-to standard response is Dead Peer Detection (Re-initiate), and enable rekey.

Also constant ping every 10 seconds to each host on the other end for a keepalive, since no data is probably sending through tunnel in the middle of the night.

Ikev2 or 1?

the go-to standard response is Dead Peer Detection (Re-initiate), and enable rekey.

Also constant ping every 10 seconds to each host on the other end for a keepalive, since no data is probably sending through tunnel in the middle of the night.

Ikev2 or 1?

Hi Mate

Thanks for responding. I did a bit of experimenting with DPD (which was not enabled) and I think I must have set it too sensitive because then the VPN dropped every minute and I was getting spammed with notification emails from the XG lol

Here's what I have set, Sophos is telling me the config is insecure now although I am not sure if the Draytek will support the newer fancier algorithms. 

IKEv1

Allow Re-keying: Yes

Key negotiation tries: 3

Mode: Main mode

Phase 1

Key Life: 3600

re-key margin: 120

randomize re-keying margin by: 0

GH group: 2

encryption: 3des

auth: sha1

Phase 2

pfs: none

key life: 3600

encryption: 3des

auth: sha1

DPD: disabled

Short:

i am by no means an expert in XG but I've suffered the same exact experience you are all within the last 30 days on the first XG I have ever ever bought. My VPN settings mirrored yours exactly because the other end could only do ikev1. In the end (a few nights ago I capitulated after I had had enough, and I tried firmware downgrade to the one which others here mention is much more stable for ikev1. 16mr8. Working perfectly, never down once, auto comes back after reboot etc. Something in version 17 must have created a bug in ikev1 when sophos introduced ikev2 as an option in my opinion, and I'm not the only one here.

Long:

At first the other company with cisco asa only had 3des sha1 but after 4 nights of failed connections, I got them to add aes 256 md5 as another proposal.

I stayed here on the forums for two days, tried settings from knowledge base about Cisco asa settings, no luck.

Called support who described to me to never edit a running vpn config or policy. It can corrupt it without you knowing it. He recreated my policy from scratch which honestly I really appreciate and he put a lot of effort in. I have around 19 hosts and networks that need to be added. He couldn't get phase 2 to work with the key settings the other company provided to me so he did it once more with the default branch office settings and a few tweaks.

He tried starting it but like half the tunnels to hosts stayed up and half went up but stayed down after about a minute. So then he theorized that we should move half the hosts to a second vpn connection using the same setting. Maybe it was overwhelmed he figured.

At this point I also started using constant pings to the other side (not trusting the peer list view on sophos) and this was a double edge sword).. when support turned on the tunnel, it worked! It stayed up with no drops at all for 8 days. I thought it was fixed but 8 days later I had to unplug and reboot that PC that was doing the pings. Alas, tunnel went down and stayed down while I played with it for 7 hours until 1am.

After that 7 hours (on top of 20 other hours I spent on this issue, I nearly quit on sophos xg for the customer. I recalled others saying 16 was great with ikev1 so I figured why not and it worked. I had to rebuild my settings but VPN stayed up. Fingers crossed. I even rebooted my ping machine and tunnel stayed up too. I'm using the dpd setting On and the default settings for it.

Thanks for the reply mate but a downgrade is not an option for us, we use the MTA and 17 fixed a tonne of email issues.

Just to make sure: Did you verify whether your Key-Life on Phase1 and Phase 2 on Draytek and Sophos are matching to the same Value? This would be very important.

I would concur with this, as I had the same issue, and let someone else to configure the remote end, caused me no end of issues.

Christian,

I cannot seem to find the key life time settings for the Draytek when the call direction is IN?

Am I missing something obvious? Or can the key life only be set when the Draytek is the initiating device?

Thanks

I would always configure dial-out from Draytek (Remote) going to central office, this way there is no traffic being generated by your Firewall.

Jason

I don't understand what you mean here, traffic flows both ways regardless of which device initiates the connection?

reconfigure the VPN, so the Draytek dials out rather than waiting for a connection.

put another way, create a new VPN S2S on the draytek for Dialout only, then the key lifetimes can be adjusted.

Cheers Jason,

Will do.