This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPsec Connection down

I am configuring some IPsec vpn between my client's main office and 10 branch offices.
In the main office I installed a Sophos xgs116 (SFOS 19.0.1 MR-1-Build365) to replace an old Zyxel Usg 300 and in the peripheral offices there are 8 Sophos XG85 (SFOS 17.5.17 MR-17-Build837) and 2 Fritzbox.
In another peripheral location there is an SD-RED 20

The main office has a public static IP while the branch offices have no public IP.

It was easy to configure the vpn tunnels using the default profiles DefaultHeadOffice and DefaultBranchOffice using a different Preshared key for each tunnel. VPNs go up fast and work fine for a few hours then inexplicably go down.

The only way I have found to put them back on their feet is to change the preshared key used for the tunnel; it is a situation that is not possible to manage in this way, also because the vpn between the sophos of the peripheral offices and the old zyxel worked well.

What can I check to try to solve this problem? Do you have any suggestions?
Thank you

This thread was automatically locked due to age.

Top Replies

Bharat J over 1 year ago +1 verified

malachite said: The main office has a public static IP while the branch offices have no public IP. In this case, you have to use DDNS services where there is no static or public IP. Thanks and Reg…

+1 Bharat J over 1 year ago

malachite said:
The main office has a public static IP while the branch offices have no public IP.

In this case, you have to use DDNS services where there is no static or public IP.

Thanks and Regards

"Sophos Partner: GuiNet Technologies Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up +1 Vote Down

Cancel
+1 malachite over 1 year ago

In remote office Firewall logs I see

"parsing IKE message from xxxx.xxxx.xxxx.xxxx[500] failed"
Cancel
Vote Up +1 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to malachite

Yes, seems Port 500 is blocked or not allowed from the remote end ISP router configuration

Regards

"Sophos Partner: GuiNet Technologies Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 malachite over 1 year ago in reply to Bharat J

Thank you for response, I'm going to allow port UDP500 and UDP4500 for remote offices; but I don't understand why no problem with zyxel at head office.
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to malachite

Is it for tunnel between Sophos xgs116 (SFOS 19.0.1 MR-1-Build365) and Sophos XG85 (SFOS 17.5.17 MR-17-Build837) ?or with Sophos xgs116 (SFOS 19.0.1 MR-1-Build365) and 2 Fritzbox.?

Issue might be with Default policy

Regards

"Sophos Partner: GuiNet Technologies Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 malachite over 1 year ago in reply to Bharat J

Hello, just an update. I checked all my configuration and find only 2 router with UDP port blocked. At this time my vpn are up with IKEv2 profiles. Resolved at this moment the fritzbox problem but randomly the vpn goes down.

Now I'm searching to set IPSEC with RSA as in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122440/best-practice-for-site-to-site-policy-based-ipsec-vpn but the XG85 don'activate the connection
Cancel
Vote Up 0 Vote Down

Cancel
0 Bharat J over 1 year ago in reply to malachite

malachite said:
Now I'm searching to set IPSEC with RSA as in https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122440/best-practice-for-site-to-site-policy-based-ipsec-vpn but the XG85 don'activate the connection

Try this link: https://support.sophos.com/support/s/article/KB-000035717?language=en_US

"Sophos Partner: GuiNet Technologies Pvt Ltd".

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 malachite over 1 year ago in reply to Bharat J

The error is "All the connections shared between end points must have the same authentication methods and credentials"
Cancel
Vote Up 0 Vote Down

Cancel
0 PhilippRusch over 1 year ago in reply to malachite

Please show us screenshots of your tunnel definitions in HQ and branch office. You could obfuscate parts of the IPs for security reasons.

Mit freundlichem Gruß, best regards from Germany,

Philipp Rusch

New Vision GmbH, Germany
Sophos Silver-Partner

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 malachite over 1 year ago in reply to PhilippRusch

I show you the VPN configuration between the main office (HO_1) and one of the secondary offices (BO_1). The configuration is the same for the other secondary offices where the Sophos XG85 is located.
At this moment the vpn connection is established correctly but I encounter two problems:
1) if the VPN falls it does not go up; I am forced to change the Preshared key to manually re-establish the Tunnel
2) if I change the authentication method from Preshared key to RSA key
on the secondary office device I cannot activate the connection and I receive the error previously reported ("All the connections shared between end points must have the same authentication methods and credentials")
Cancel
Vote Up 0 Vote Down

Cancel