Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 42 subscribers
  • Views 3540 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Strongswan issue.

Net AdminElken

Eversince i upgraded to v18.5.4 MR4-Build418 from SFOS18.0.5 MR-5-Build586, i've been plagued by IPSEC issues.
Currently using XG450 and i'm force to revert back to SFOS18.0.5 MR-5-Build586.

However the issue has not gone away even after i revert back.
Most of my ipsec tunnels are backhauled to our HQ office's XG450 from SG125 UTM9 units.
There're 16 units of UTM9. 4 units there're not affected are using Static IP.
12 units that had asterisk as remote gateway are currently using dynamic IP.
All tunnels using PSK.
They all worked initially with 1 same PSK.
After getting some issues of some tunnels disconnecting after the firmware update, i decides to create an individual seperate psk for each tunnel.
However, it became worse. When i manage to up 1 ipsec tunnel, it brought down 5 tunnel next day.
I tried with doing 2 more tunnels, 8 tunnels went down the subsequent day.
I've been running out of ideas lately..
The latest firmware really screw up ipsec tunnel in a very bad way.
I'm currently looking to shift out of sophos. Everytime sophos roll out a new update, it screw up and breaks everything.
I feel i can't keep up with their mindset. 






This thread was automatically locked due to age.
  • 0

    Actually this should be not a issue. 

    It is by design and as far as i can remember, this was the case for years. 

    Remote Access * can only use the same PSK. 

    You can cheese the system, as PSK is only used in IPsec Phase1. So you can build up the tunnel with PSK1, then you change the PSK to PSK2 and build up the next tunnel. The first tunnel will exists until it gets interrupted for whatever reason.

    You should switch to a DDNS instead. Or use the same PSK: 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I've seen discussion actually advise using multiple tunnel using the same psk.
    However, there's also issue of having too much backhauling to HQ, the firewall can run into issue of recognizing the tunnels since there're multiple gateways with wildcards.

  • 0 in reply to Net AdminElken

    You even see a popup, if you change the PSK in a Wildcard Tunnel. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Ok according to what u say, correct me if i'm wrong. 
    You suggest that when creating the 1st tunnel , i can establish it with psk1.
    After successfully establishing 2nd tunnel with psk2 , i can go back to 1st tunnel and change psk1 to psk2 to prevent the tunnel from disconnecting.

  • 0 in reply to Net AdminElken

    But if you reboot the appliance, all "Invalid PSKs" will not be established. 

    IPsec works in two phases. Phase 1 is PSK driven. Phase 2 is key driven. So an IPsec Tunnel can life with a invalid PSK, as the key will be renewal ed between both peers without the PSK. 

    __________________________________________________________________________________________________________________

  • 0
    Net AdminElken said:
    12 units that had asterisk as remote gateway are currently using dynamic IP.

    With SFOS18.0.5 MR-5-Build586 version asterisk will work if it is set in the remote gateway, not with later versions v18.5 and v19.

    Now if you want to run Sophos XG with the latest firmware versions remote gateway does not support * asterisk on the IPSec VPN tunnel, in your case you have to use DDNS or  Public Static IP instead. 

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    That is not correct. You can use Wildcard. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Yes, you are right it worked with v18.5.4 MR4-Build418 .

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to LuCar Toni

    I notice that all of the affected tunnels are actually the ones with wildcard.
    Anything without a wildcard are fine even with different PSK.
    It's kind of hectic and confusing to rectify the issue.
    Since generally i've to use the same psk for every tunnel which is extremely risky.

  • 0 in reply to ywillie

    Hi ywillie 

    May I know Firmware version running on Sophos Firewall, is it XG or XGS Series Appliances or virtual?

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Unfiltered HTML