This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN disconnections

Hi,

We have XG 18.0.4 MR-4.

We are migrating from UTM, where the L2TP VPNs worked perfectly.

We have added all users (local authentication) to the XG.  Users now connect to the XG from home, we have made no change at the Windows end.

Our VPN users are being disconnected randomly, but regularly.

I want to try and work out if it is the client (Windows 10) that is asking for the disconnection, or the XG.

I have looked through access_server.log and charon.log, but there's a lot of data and I'm not sure what I'm looking for.

Is there an easy way to determine which end is causing the disconnection?

Thanks

Adrian



This thread was automatically locked due to age.
Parents Reply Children
  • Hi,

    I have caught the XG in the act of disconnecting VPNs.

    In charon.log, I get thousands of messages like this:

    2021-03-08 14:18:58 03[NET] ignoring IKE_SA setup from WWW.XXX.YYY.ZZZ, peer too aggressive

    They come in groups of several hundred with the same IP WWW.XXX.YYY.ZZZ.  Then, the IP changes and I get hundreds with the next IP. 

    These are L2TP over IPSec dial-up VPNs from Windows clients.

    Any help would be appreciated.

    Thanks

    Adrian

  • For me this looks like something is trying to hack your IPSec connection ... However something from Sophos might be able to clarify what this means exactly.


    If your logging is activated you probably see also entries from WWW.XXX.YYY.ZZZ to your WAN interace. (Most probably on Port 500 or 4500).

  • Hello there,

    Thank you for the follow-up.

    Can you change the Windows Machine to use Main Mode or change your L2TP policy to ikev1.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmo,

    The Windows dial-up VPNs are already main mode and IKEv1.

    , I've looked through the IPs that are doing this, and eventually they do reconnect and are legitimate users.

    I'm wondering if "something happens in the XG", and then all L2TP VPNs get disconnected (we usually have 50-70 VPNs connected) .  Then, they all try to reconnect at the same time, causing the XG to be overloaded.  Possibly, they all disconnect without the XG knowing at the IPSEC level, so as they try and reconnect, there are a load of half-working SAs, adding to the confusion.

    I'm not sure what to do.  I like the L2TP because it is easy to deploy (it is built-in to Windows, and can be configured with a login script).  PPTP is also easy, but we would fail our PCI scan because it is less secure.  Perhaps an IKE2 might be better (also built-in to windows). 

    Other options, as far as I can make out, are IPSEC (I think this is OpenVPN, needs a client installation) and SSL (know nothing about the XG implementation).  If anyone has had success with the XG, I would be interested to hear from them.

    Thanks

    Adrian

  • PPTC should not be used nowadays. To insecure.

    Open VPN is an implementation of SSL-VPN. AFIK the IPSec Implementation of Sophos is Sophos Connect (at least part of it).

    We have implemented SSL-VPN with 2FA successfully. However the connection times out after the key renewal  time.

  • Hi BeEF,

    Thanks for your comment, we are going to try the OVPN-style SSL VPN.

    I'll mark this as closed and verify your answer.

    Regards

    Adrian