Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSEC Strongswan issue.

Eversince i upgraded to v18.5.4 MR4-Build418 from SFOS18.0.5 MR-5-Build586, i've been plagued by IPSEC issues.
Currently using XG450 and i'm force to revert back to SFOS18.0.5 MR-5-Build586.

However the issue has not gone away even after i revert back.
Most of my ipsec tunnels are backhauled to our HQ office's XG450 from SG125 UTM9 units.
There're 16 units of UTM9. 4 units there're not affected are using Static IP.
12 units that had asterisk as remote gateway are currently using dynamic IP.
All tunnels using PSK.
They all worked initially with 1 same PSK.
After getting some issues of some tunnels disconnecting after the firmware update, i decides to create an individual seperate psk for each tunnel.
However, it became worse. When i manage to up 1 ipsec tunnel, it brought down 5 tunnel next day.
I tried with doing 2 more tunnels, 8 tunnels went down the subsequent day.
I've been running out of ideas lately..
The latest firmware really screw up ipsec tunnel in a very bad way.
I'm currently looking to shift out of sophos. Everytime sophos roll out a new update, it screw up and breaks everything.
I feel i can't keep up with their mindset. 






This thread was automatically locked due to age.
Parents
  • 12 units that had asterisk as remote gateway are currently using dynamic IP.

    With SFOS18.0.5 MR-5-Build586 version asterisk will work if it is set in the remote gateway, not with later versions v18.5 and v19.

    Now if you want to run Sophos XG with the latest firmware versions remote gateway does not support * asterisk on the IPSec VPN tunnel, in your case you have to use DDNS or  Public Static IP instead. 

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • That is not correct. You can use Wildcard. 

    __________________________________________________________________________________________________________________

  • Yes, you are right it worked with v18.5.4 MR4-Build418 .

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • I notice that all of the affected tunnels are actually the ones with wildcard.
    Anything without a wildcard are fine even with different PSK.
    It's kind of hectic and confusing to rectify the issue.
    Since generally i've to use the same psk for every tunnel which is extremely risky.

  • Hi ywillie 

    May I know Firmware version running on Sophos Firewall, is it XG or XGS Series Appliances or virtual?

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
No Data