Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Strongswan issue.

Eversince i upgraded to v18.5.4 MR4-Build418 from SFOS18.0.5 MR-5-Build586, i've been plagued by IPSEC issues.
Currently using XG450 and i'm force to revert back to SFOS18.0.5 MR-5-Build586.

However the issue has not gone away even after i revert back.
Most of my ipsec tunnels are backhauled to our HQ office's XG450 from SG125 UTM9 units.
There're 16 units of UTM9. 4 units there're not affected are using Static IP.
12 units that had asterisk as remote gateway are currently using dynamic IP.
All tunnels using PSK.
They all worked initially with 1 same PSK.
After getting some issues of some tunnels disconnecting after the firmware update, i decides to create an individual seperate psk for each tunnel.
However, it became worse. When i manage to up 1 ipsec tunnel, it brought down 5 tunnel next day.
I tried with doing 2 more tunnels, 8 tunnels went down the subsequent day.
I've been running out of ideas lately..
The latest firmware really screw up ipsec tunnel in a very bad way.
I'm currently looking to shift out of sophos. Everytime sophos roll out a new update, it screw up and breaks everything.
I feel i can't keep up with their mindset. 






This thread was automatically locked due to age.
Parents
  • Actually this should be not a issue. 

    It is by design and as far as i can remember, this was the case for years. 

    Remote Access * can only use the same PSK. 

    You can cheese the system, as PSK is only used in IPsec Phase1. So you can build up the tunnel with PSK1, then you change the PSK to PSK2 and build up the next tunnel. The first tunnel will exists until it gets interrupted for whatever reason.

    You should switch to a DDNS instead. Or use the same PSK: 

    __________________________________________________________________________________________________________________

  • I've seen discussion actually advise using multiple tunnel using the same psk.
    However, there's also issue of having too much backhauling to HQ, the firewall can run into issue of recognizing the tunnels since there're multiple gateways with wildcards.

  • You even see a popup, if you change the PSK in a Wildcard Tunnel. 

    __________________________________________________________________________________________________________________

  • Ok according to what u say, correct me if i'm wrong. 
    You suggest that when creating the 1st tunnel , i can establish it with psk1.
    After successfully establishing 2nd tunnel with psk2 , i can go back to 1st tunnel and change psk1 to psk2 to prevent the tunnel from disconnecting.

  • But if you reboot the appliance, all "Invalid PSKs" will not be established. 

    IPsec works in two phases. Phase 1 is PSK driven. Phase 2 is key driven. So an IPsec Tunnel can life with a invalid PSK, as the key will be renewal ed between both peers without the PSK. 

    __________________________________________________________________________________________________________________

Reply
  • But if you reboot the appliance, all "Invalid PSKs" will not be established. 

    IPsec works in two phases. Phase 1 is PSK driven. Phase 2 is key driven. So an IPsec Tunnel can life with a invalid PSK, as the key will be renewal ed between both peers without the PSK. 

    __________________________________________________________________________________________________________________

Children
No Data