This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Site to Site VPN with Oracle Cloud infrastructure dropping packets

Hello,

I've set up a IPsec VPN between the UTM9 and OCI. The settings that I have used are below.

The settings are based on the following recommendations from Oracle because there isn't a configuration recommendation for Sophos;

https://docs.cloud.oracle.com/iaas/Content/Network/Reference/genericCPE.htm

There aren't any IPsec configuration options at the OCI, you are only provided with the termination IP and Secret key.

The tunnel is established and routes have been configured but I get communication dropouts. During a continuous ping from a host behind the UTM to a host in OCI the following occurs.

Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Reply from 10.99.56.2: bytes=32 time=22ms TTL=62
Request timed out.
Request timed out.
Request timed out.
Request timed out.

etc.

I have also observed the following activity in the IPsec logs on the UTM

2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388013: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #388009 {using isakmp#383645}

2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388013: sent QI2, IPsec SA established {ESP=>0x2f032f42 <0xcda5853b NATOA=0.0.0.0 DPD}
2018:12:10-20:39:55 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #383645: received Delete SA payload: replace IPSEC State #388011 in 10 seconds
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388014: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP to replace #388010 {using isakmp#383645}
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #388014: sent QI2, IPsec SA established {ESP=>0x4b79422f <0x713e4fba NATOA=0.0.0.0 DPD}
2018:12:10-20:40:01 ussawsgnputm pluto[18194]: "S_Nuf-Global-NP to OCI_Global_NP" #383645: received Delete SA payload: replace IPSEC State #388012 in 10 seconds
 
Don't know if the Delete SA entry has anything to do with it and I can't seem to find any specific information that may help me with resolving the dropouts so was wondering if anyone else has had a similar issue or been able to connect OCI IPsec VPN to a UTM 9 without problems?
 
Thanks in advance,
Witek.


This thread was automatically locked due to age.
Parents
  • As I also came across this exact problem and as there hasn't been a working answer yet, I thought I should share the solution we found while working with the Oracle Cloud Support.

    Basically, the Oracle Cloud VPN Gateways in combination with Sophos UTM only support a single subnet on each site:

    “To solve the Multiple SPI concern described previously, from the On-Premise CPE side, you will need to update the ProxyID/SPI to be a single route(subnet). If, for example you have two routes: 192.168.1.5/30 and 192.168.1.70/32, you could supernet this to just be 192.168.1.0/24, thus condensing two ProxyIDs/SPIs into a single SPI. Alternatively, you could use an any route: 0.0.0.0/0.

    The Static Route within the Oracle Cloud Console > IPSec Connections, must also be restricted to a single subnet.

    If you require the routes be separate, you will need to create an IPSec Connection for each of those subnets

    Although I was skeptical, this really fixed the issue. In our case this means we need multiple IPSec Connections but at least these are stable.

    As for the IPSec Policy settings, I used the same settings as suggested in the initial post and they seem to work fine.

    Good Luck for everyone trying this out!

  • Hallo and welcome to the UTM Community!

    Your first post here and it's the solution to a perplexing problem - I hope you continue to participate.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • @dfmw: Thanks for your answer. I can confirm that this is working! A bit strange why you can only have one subnet per VPN tunnel but then it works.

Reply Children
No Data