Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Auto-Reconnect IPsec VPN site to site XG105 XG85

Hello,

I got two Sophos XG85 and one X105.

The two X85 devices are connecting to the X105 Sophos via IPsec Site to Site VPN. That works fine.

But when a devices is rebooting or loosing the power supply for some seconds it doesnt establishe the vpn connections between the two X85 Sophos.

On the XG105 and on both X85 the "Gateway Type" under VPN Settings is on "Initiate the connection".

Must I set the Gateway Type to "Respond only" on the X105 device and on the XG85 let it on "Initiate the connection"?


Or what must I configure to establishe a automatic reconnection for the vpn profiles if one sophos is rebooting?

 

Thanks so far



This thread was automatically locked due to age.
  • Which Firmware version do you use on both sites? 

    __________________________________________________________________________________________________________________

  • LuCar Toni said:

    Which Firmware version do you use on both sites? 

     

     
    On all devices its the SFOS 17.1.3 MR-3
  • Hello Patrick,

    You may set the connection as Initiate the connection on both end as both firewall would establish the connection if one is down. There is an option in the VPN policy when assigned to the IPsec connection. This option would automatically restablishes the connection if the peer is dead or not reachable.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hello Patrick,

    You may set the connection as Initiate the connection on both end as both firewall would establish the connection if one is down. There is an option in the VPN policy when assigned to the IPsec connection. This option would automatically restablishes the connection if the peer is dead or not reachable.

     

     

    Hello Aditya

    Thanks for your help, I think that is the solution.

    If I connect via the internet via Remote Access to the sophos router and want to save the changes for the IPsec Policy the sophos is saying

    "Sophos API::Default configuration could not be update"

    And the modification will not be saved.

    Is there a special config I must activate for the API interface to modify configurations via WAN for the xg series?

  • Or is there a missing permission entry under the Local Service ACL for VPN?

    Actual on the XG devices there are these configurations activated:

  • Patrick Pulito said:
    "Sophos API::Default configuration could not be update"

     

    Did you work this out - I have the same issue? I can Clone the policy which allows me to change it.

     

    If I try and apply those to the existing VPN Tunnel I cannot select the Cloned Policy (in Red)

    Sophos XG 450 (SFOS 18.5.1 MR-1)

    Sophos R.E.D 50 x 2

    Always configuring new stuff.....

  • I am also facing the same issue when I cloned the Default policy I am not able to select the policy which I created and it is also marked in red 

  • FormerMember
    +1 FormerMember in reply to Arvind Kumar2

    Hi Arvind Kumar2,

    The policy in red, what is the Dead Peer Detection setting When peer is unreachable? Is it Re-initiate? If yes, this policy is only configurable if gateway type is configured as initiate the connection. The policy in red means you have gateway type selected Respond only. You have to change the Dead Peer detection setting on cloned policy to either Hold or Disconnect. 

    Thanks,