IPSEC - cannot route - route already in use

We have a router that establishes a ipsec connection with the UTM. This router has a dynamic IP and as such is set to "Respond Only" for the gateway in the ipsec site to site config on the UTM. Connects just fine.

Now, if we turn this router off, the ipsec connection drops as expected. However, the UTM seems to just sit there with the route established ie it doesn't detect the link is down and delete the route.

DPD seems to kick in about 120s at which time the security association (and route) is then deleted by the UTM. The remote router can then connect and establish an ipsec connection to the UTM.

However, if the remote router tries to connect to the UTM before this route is deleted by DPD, the UTM complains about the route already being in place. Obviously because it is still there. As the remote router retries, the UTM then further complains about the maximum number of retries being reached and the remote router cannot connect.

Any ideas for a workaround? My immediate thoughts are that the DPD detection time needs to be brough down on the UTM side so that the routes can be deleted.

  • Hi Louis,

    but that’s what DPD is for. The UTM or any other Router can’t detect the vanished tunnel without DPD timeout.

    What might be interesting, does the dynamic router keep the IP Address if it tries to reconnect after power off?

    But at the end you should lower the timeout. I don’t know the exact use case but how many disconnects does this device have a day. Is there really a difference if this lasts 30 or 120 seconds?

    Best regards 

    Alex 

  • In reply to Alexander Busch:

    It does have a number of disconnects because its mobile. It is a 4G router that picks up a private dynamic IP address every time it connects.

    I've gone into the cli on the UTM and altered the dpd timeouts to dpddelay=20s and dpdtimeout=40s and it appears to work now.

    I can restart the router (it takes about 70s from a cold start) and it connects without issue. The UTM detects the drop at 40s and deletes the route and the remote router can connect as there is no previous route.

    My only concern now is if the remote router IP changes between towers which could mean a 5 second drop out etc at which time I don't think this would work unless I change the dpd timeouts to even lower.

  • In reply to Louis-M:

    Just an idea, maybe it’s an alternative to use SSL VPN instead of IPSec? Maybe there isn’t so much headache when the connection reestablish.

  • In reply to Alexander Busch:

    I could try but bear in mind this is a site to site connection with one side having a dynamic IP. Has anybody got an openvpn site to site connection to a UTM?

  • In reply to Louis-M:

    Hi Louis,

    IKEv2 (with MOBIKE) would be perfectly solve this issue, but sadly Sophos won't update their IPsec-stack in the UTM since years.
    https://ideas.sophos.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/223231-vpn-ike-v2-support

    I would also advise to use SSLVPN/openvpn instead (sites2site).

  • In reply to JosefBergmann:

    I managed to change this to an SSL VPN and that works perfectly. I can lose the connection, come back up with a different IP and the connection adjusts itself. Problem solved, goodbye IPSEC!

  • In reply to Louis-M:

    Dear Louis,

    glad to hear that the solution inspired by Josef and me was a success and solve the problem.

    Best regards 

    Alex 

  • In reply to Alexander Busch:

    Yes. Thank you. TBH, I tried the SSL VPN but couldn't get it to work site to site due to the way Sophos uses their apc file. I got close with IPSEC eg DPD down to 20 secs but this wasn't enough and I wasn't convinced it would be 100% reliable eg 3 second drop in connection.

    Getting the OPVN site to site running with the UTM isn't quite straight forward either but hey ho, got there in the end and it's working a treat.