Site-to Site IPSec tunnel disconnects one every 24 hours, why?
I have two questions related to IPSec VPN.
I have two Sophos UTM using home license, version 9.403 with an IP sec tunnel between. I have changed IPSec VPN settings to use own certificates instead of RSA key. I have set Pre Shared Key Settings on the advanced tab to use the same email-address on both ends.
utm1.mydomain.com is the initiator and utm2.mydomain.com is the responder. I am using DNS in UTM to resolve IP-address to internal addresses. utm1.mydomain.com resolves to 192.168.1.1 and utm2.mydomain.com resolves to 192.168.2.1.
Since the IPSec set up for the initiator must use the public IP-address of the responder, I have created bastion2.mydomain.com in the initiator to be set to the responders public IP.
Question 1: The responder is using dynamic DNS and I have not found any way to make the initiator UTM look up the public IP address for bastion2.mydomain.com using public DNS since UTM is configured with all other internal DNS records for my domain. How can I sort this out automatically? Today I configured the public IP address for bastion2.mydomain.com in UTM internal DNS statically since the public IP-address of bastion2.mydomain.com is seldom changed.
Creating a DNS host network definition does not work since the UTM is handling other hosts for the domain in its own DNS.
Question 2: After switching to use own certificates instead of RSA key the tunnel disconnects once every 24 hours. To reconnect the tunnel, I log in into the initiator and toggle “Enable probing of preshared keys” setting on the Advanced tab. After doing that, the tunnel reconnects automatically. How can I get solve this?
The tunnel is currently using AES-256 PFS (ACC). I have also tried AES-256 PFS with compression on. Same problem exists.
This thread was automatically locked due to age.
