IPSEC - cannot route - route already in use

Hi Louis,

but that’s what DPD is for. The UTM or any other Router can’t detect the vanished tunnel without DPD timeout.

What might be interesting, does the dynamic router keep the IP Address if it tries to reconnect after power off?

But at the end you should lower the timeout. I don’t know the exact use case but how many disconnects does this device have a day. Is there really a difference if this lasts 30 or 120 seconds?

Best regards 

Alex 

Hi Louis,

but that’s what DPD is for. The UTM or any other Router can’t detect the vanished tunnel without DPD timeout.

What might be interesting, does the dynamic router keep the IP Address if it tries to reconnect after power off?

But at the end you should lower the timeout. I don’t know the exact use case but how many disconnects does this device have a day. Is there really a difference if this lasts 30 or 120 seconds?

Best regards 

Alex 

It does have a number of disconnects because its mobile. It is a 4G router that picks up a private dynamic IP address every time it connects.

I've gone into the cli on the UTM and altered the dpd timeouts to dpddelay=20s and dpdtimeout=40s and it appears to work now.

I can restart the router (it takes about 70s from a cold start) and it connects without issue. The UTM detects the drop at 40s and deletes the route and the remote router can connect as there is no previous route.

My only concern now is if the remote router IP changes between towers which could mean a 5 second drop out etc at which time I don't think this would work unless I change the dpd timeouts to even lower.

Just an idea, maybe it’s an alternative to use SSL VPN instead of IPSec? Maybe there isn’t so much headache when the connection reestablish.

I could try but bear in mind this is a site to site connection with one side having a dynamic IP. Has anybody got an openvpn site to site connection to a UTM?

Hi Louis,

IKEv2 (with MOBIKE) would be perfectly solve this issue, but sadly Sophos won't update their IPsec-stack in the UTM since years.
https://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/223231-vpn-ike-v2-support

I would also advise to use SSLVPN/openvpn instead (sites2site).

I managed to change this to an SSL VPN and that works perfectly. I can lose the connection, come back up with a different IP and the connection adjusts itself. Problem solved, goodbye IPSEC!

Dear Louis,

glad to hear that the solution inspired by Josef and me was a success and solve the problem.

Best regards 

Alex 

Yes. Thank you. TBH, I tried the SSL VPN but couldn't get it to work site to site due to the way Sophos uses their apc file. I got close with IPSEC eg DPD down to 20 secs but this wasn't enough and I wasn't convinced it would be 100% reliable eg 3 second drop in connection.

Getting the OPVN site to site running with the UTM isn't quite straight forward either but hey ho, got there in the end and it's working a treat.