This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN with Oracle Cloud infrastructure dropping packets

Hello,

I've set up a IPsec VPN between the UTM9 and OCI. The settings that I have used are below.

The settings are based on the following recommendations from Oracle because there isn't a configuration recommendation for Sophos;

https://docs.cloud.oracle.com/iaas/Content/Network/Reference/genericCPE.htm

There aren't any IPsec configuration options at the OCI, you are only provided with the termination IP and Secret key.

The tunnel is established and routes have been configured but I get communication dropouts. During a continuous ping from a host behind the UTM to a host in OCI the following occurs.

Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.

etc.

I have also observed the following activity in the IPsec logs on the UTM

2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388013: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #388009 {using isakmp#383645}

2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388013: sent QI2, IPsec SA established {ESP=>0x2f032f42 <0xcda5853b NATOA=0.0.0.0 DPD}
2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #383645: received Delete SA payload: replace IPSEC State #388011 in 10 seconds
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388014: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #388010 {using isakmp#383645}
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388014: sent QI2, IPsec SA established {ESP=>0x4b79422f <0x713e4fba NATOA=0.0.0.0 DPD}
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #383645: received Delete SA payload: replace IPSEC State #388012 in 10 seconds
 
Don't know if the Delete SA entry has anything to do with it and I can't seem to find any specific information that may help me with resolving the dropouts so was wondering if anyone else has had a similar issue or been able to connect OCI IPsec VPN to a UTM 9 without problems?
 
Thanks in advance,
Witek.


This thread was automatically locked due to age.
Parents Reply
  • Hallo and welcome to the UTM Community!

    If you mean the same problem with Oracle Cloud,  Did you try enabling anti-replay (replay protection) in the Oracle Cloud?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children