Site to Site VPN with Oracle Cloud infrastructure dropping packets

Hello,

I've set up a IPsec VPN between the UTM9 and OCI. The settings that I have used are below.

The settings are based on the following recommendations from Oracle because there isn't a configuration recommendation for Sophos;

https://docs.cloud.oracle.com/iaas/Content/Network/Reference/genericCPE.htm

There aren't any IPsec configuration options at the OCI, you are only provided with the termination IP and Secret key.

The tunnel is established and routes have been configured but I get communication dropouts. During a continuous ping from a host behind the UTM to a host in OCI the following occurs.

Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.

etc.

I have also observed the following activity in the IPsec logs on the UTM

2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388013: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #388009 {using isakmp#383645}

2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388013: sent QI2, IPsec SA established {ESP=>0x2f032f42 <0xcda5853b NATOA=0.0.0.0 DPD}
2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #383645: received Delete SA payload: replace IPSEC State #388011 in 10 seconds
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388014: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #388010 {using isakmp#383645}
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388014: sent QI2, IPsec SA established {ESP=>0x4b79422f <0x713e4fba NATOA=0.0.0.0 DPD}
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #383645: received Delete SA payload: replace IPSEC State #388012 in 10 seconds
 
Don't know if the Delete SA entry has anything to do with it and I can't seem to find any specific information that may help me with resolving the dropouts so was wondering if anyone else has had a similar issue or been able to connect OCI IPsec VPN to a UTM 9 without problems?
 
Thanks in advance,
Witek.
  • Hi Witek and welcome to the UTM Community!

    What happens if you try different combinations of settings for NAT-T and DPD?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

    Thanks for the suggestion. We played around with the settings for both but unfortunately the problem persists.

    Kind regards,

    Witek.

  • In reply to Witek Rolka:

    Witek, does the Oracle Cloud have anti-replay enabled?

    Cheers - Bob

  • In reply to BAlfson:

    Having the same exact problem here with the same log messages and the latest Firmware. Already tried switching off DPD, didn't work either.

    I have around 20 Site-to-site IPSec connections and they all work without any issues.

    Any ideas?

  • In reply to Thunder:

    Hallo and welcome to the UTM Community!

    If you mean the same problem with Oracle Cloud,  Did you try enabling anti-replay (replay protection) in the Oracle Cloud?

    Cheers - Bob

  • In reply to BAlfson:

    Hi Bob,

     

    Thanks for your answer. I'm not aware that there's a setting like anti-replay in the Oracle Cloud. All parameters are given by Oracle. I used the settings in https://docs.cloud.oracle.com/iaas/Content/Network/Reference/genericCPE.htm.

  • In reply to Thunder:

    UTM requires that the other IPsec endpoint have Anti-Replay enabled.  What does Oracle say about whether they have replay protection activated?

    Cheers - Bob

  • As I also came across this exact problem and as there hasn't been a working answer yet, I thought I should share the solution we found while working with the Oracle Cloud Support.

    Basically, the Oracle Cloud VPN Gateways in combination with Sophos UTM only support a single subnet on each site:

    “To solve the Multiple SPI concern described previously, from the On-Premise CPE side, you will need to update the ProxyID/SPI to be a single route(subnet). If, for example you have two routes: 192.168.1.5/30 and 192.168.1.70/32, you could supernet this to just be 192.168.1.0/24, thus condensing two ProxyIDs/SPIs into a single SPI. Alternatively, you could use an any route: 0.0.0.0/0.

    The Static Route within the Oracle Cloud Console > IPSec Connections, must also be restricted to a single subnet.

    If you require the routes be separate, you will need to create an IPSec Connection for each of those subnets

    Although I was skeptical, this really fixed the issue. In our case this means we need multiple IPSec Connections but at least these are stable.

    As for the IPSec Policy settings, I used the same settings as suggested in the initial post and they seem to work fine.

    Good Luck for everyone trying this out!

  • In reply to dfmw:

    Hallo and welcome to the UTM Community!

    Your first post here and it's the solution to a perplexing problem - I hope you continue to participate.

    Cheers - Bob

  • In reply to BAlfson:

    @dfmw: Thanks for your answer. I can confirm that this is working! A bit strange why you can only have one subnet per VPN tunnel but then it works.