Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
Hi,On my branch office I run a fortigate firewall. HQ runs Sophos UTM 9.6.Branch office: dynamic ip, changes every 24hrHQ: static IPIPsec VPN is up and working fine until at the branch office there is a IP-change, what occours every 24hrs.Then the tunnel is still up, but no traffic flows in any direction. My understand is that the tunnel should go down immediatelly, when there is the ip-change, and re-established immediatelly.
But obviously this is not the case.After two hours the traffic is flowing again.If I manually put the tunnel down/up on the branch office then traffic flows again immediatelly.So how can I troubleshoot this?
Have you tried making Fortigate as the tunnel Initiator? Keep the IPsec connection on UTM 9 as Respond only and also try to enable DPD on the UTM and that should help to terminate IPsec tunnel with Old IP address.
In reply to Jaydeep:
This was my idea already too, but I was not true what it meant when the UTM said "The preshared key object requires text data for the preshared key attribute.". I didn't understand this message. Ok, now I just reinserted my PSK and changed the VPN to "respond only" in the UTM. DPD was already active.The tunnel came up within a few minutes then after the IP change.Do you know how fast the DPD is supposed to find the dead peer? Shouldn't the tunnel be re-established with a fraction of a second?I am not sure how to verify the Fortigate device about in what mode it currently operates. I am discussing this now with Fortigate support as well.Thank for your help as always. Very appreciated !
In reply to GKR:
DPD timeout is 120 seconds. So this tunnel should come up within 120 seconds after the IP change.
Thank you for the clarificiation.it seems to work now this way. Thanks for helping
Jaydeep is there any further tweaking reg. DPD that can be done?Is there a VPN-manual/documentation where I can read about all of this?In the Fortigate I can configure all of this:
config vpn ipsec phase1-interface edit <Tunnel Name> set dpd [disable | on-idle | on-demand] set dpd-retryinveral 15 set dpd-retrycount 3 nextend
Unfortunately, This option is not available in UTM. However, there is a feature request available here. Please vote for it if you would like this feature to be available in UTM.