This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC tunnel issue

Hello Sophos Community,

I have one IPsec tunnel established with one of our client, the tunnel is up, ACL is up(have configured multiple hosts that can be access on client side). The issues is that when we initiate connection from our side internal VM ip to one host from client network the connection is working 30 min, 1hour (no specific interval of time) and then the connection suddenly stops. I capture tcp dump on our sophos sg450 (UTM 9 )firewall and in that tcpdump i see only "in" packets but no "out packets" (attached printscreen). i tried to do a SNAT from our side, the same issue(only with one host from customer side i have this issue). So sometimes the connection is working again by itself and sometimes i need to manually reset the tunnel.

Also need to mention behind this firewall, i have another firewall configured and also on that i can see only in packets but no out packets(the policy on this firewall is allowed with any port and on sophos the firewall is set on Auto for traffic through IPsec tunnel).

Do you have any sugestion for this issue?Also i can mention that on that USG i have over 40 tunnels up and this is the only tunnel with this kind of issue.

This thread was automatically locked due to age.

Parents

0 BAlfson over 6 years ago

Hallo Andrei and welcome to the UT Community!

Is this a question about Sophos UTM? If so, please show pictures of the Edits of the IPsec Policy on each side of the Tunnel.

Cheers - Bob

PS Moving this thread to the VPN forum.
Cancel
Vote Up 0 Vote Down

Cancel
0 Cernitu Andrei over 6 years ago in reply to BAlfson

Hello,

I can only share the configuration from my side, because the other side is on the customer network i do not have access there.

Phase 1 and Phase 2

Gateway to customer network. I cannot share the IP's

Our Internal IP is NAT to one public ip. Also tried without Nat and same issue.

Thank you!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Cernitu Andrei over 6 years ago in reply to BAlfson

Hello,

I can only share the configuration from my side, because the other side is on the customer network i do not have access there.

Phase 1 and Phase 2

Gateway to customer network. I cannot share the IP's

Our Internal IP is NAT to one public ip. Also tried without Nat and same issue.

Thank you!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 apijnappels over 6 years ago in reply to Cernitu Andrei

first check that the IKE and IPSec lifetimes are exactly the same on both sides of the connection. And when you are busy checking both sides, also check for the other IKE and IPSec settings (they should also match on both sides)
Cancel
Vote Up 0 Vote Down

Cancel
0 Cernitu Andrei over 6 years ago in reply to apijnappels

Hello,

Already checked this with customer and both sides have the same phase 1 and phase 2 config. Also as i mentioned i only have this issue with one ip from client network, the rest are working fine(there are about 23 hosts that we access from our VM to customer private network).
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 6 years ago in reply to Cernitu Andrei

We don't work very well with hearsay, Andrei. We need pictures of the Policy on the other side. Do both sides have DPD and NAT-T selected? What setting does the other side have for Anti-Replay?

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 Cernitu Andrei over 6 years ago in reply to BAlfson

Hello all and sorry for the late response. I manage to fix the problem and was a source nat issue on our side after i checked deeply all configuration of the IPsec tunnel.

Thank you for the support!
Cancel
Vote Up 0 Vote Down

Cancel