IPSec Site to Site VPN

Question

Hello everyone, 
 I have a Sophos XG firewall and SonicWALL SOHO site to site VPN setup between those two firewalls. It connects up just fine and stays connected for hours but randomly it will go down and I have to go manually connect it back up. Luckily it's not a super important VPN but still I don't understand why it randomly goes down. 
 I do have the latest firmware installed on both the SonicWALL and the Sophos XG. 
 I have changed the dead peer detection on and off both on the SonicWALL and the Sophos XG to see if that makes a difference but it does not matter if that is on or off. Does it matter on the type of encryption I am using between the two? Is there a known issue with this that I am missing? 
 Any help would be appreciated. 
 Thank you.

GushyJoseph · Accepted Answer

On a side note, the Sophos IPSec site to site VPN's experience some extreme throughput degradation when PFS is enabled. We have a Sonicwall at our main office, and Sophos XG firewalls at branch offices that connect through site to site IPSec VPN. With our WAN connection speeds, we couldn't explain our poor VPN performance (transfer speeds across tunnel were only around 200 KB/s). I read a forum post that PFS is known to cause performance issues, so I tried setting it to none for both VPN configs. To my surprise the transfer speed went from 200 KB/s all the way to 2 MB/s, the only difference was PFS being disabled. Please note the speed measurements are from Windows SMB file transfer, so bytes per second. I just wanted to make everyone aware that (at least with using v16.0.5 MR 6 to Sonicwall) using PFS for better security greatly hinders performance, perhaps that is not a big deal for your specific use case, but we needed all the throughput we could possibly get. Of course, I encourage you to test how PFS behaves in your own environment as decreasing security settings is never recommended. 
 
 The other thing I wanted to mention is SHA256 (used in Phase 2) can cause a mismatch between Sophos XG IPSec VPN and Sonicwall. What happens is the tunnel establishes and shows connected/green, but because of a slight difference the computations are different on both sides and all traffic is dropped, you will not be able to ping anything across the tunnel i.e.. It is a challenging issue to troubleshoot because you wouldn't think to look at the hashing algorithm being used, I believe this issue may also carry over to Fortigate units. I mention this because I hope it helps someone else that runs into the problem. After SHA256 caused this issue, I found SHA384 worked just fine for Phase 2.

Karlos · Answer

Hi Chris, 
 Make sure the exact same phase 1 & 2 encryption algorithms are used on both sides of the tunnel. 
 Also ensure your Phase 1 key life is larger than Phase 2 and that Phase 2 is not a denominator of Phase 1. 
 Best, 
 Karlos