XG or XGS with SFOS 19.0.1 is IPSec Site-to-Site Tunnel initiator. The other side is responder.
Whenever I change the IPSec connection e.g. add a host or network object, change something in the securitysettings, the tunnel will terminate and not recover itself. It becomes "red".
Of course I change it on both sides - first on the XG as initiator so I do not cut off my management connection to the machine, then on the responder.
I need to connect to the remote site over backdoors or Sophos Central and re-activate the tunnel.
Why can't the machine do this itself after the change of the tunnel. It's totally senseless to me that is just fails and then sits in that failed state until an admin manually comes remote and click on the connect button.
This issue is known to me since I manage XG (SFOS 17.5) and nothing new.
Are there plans to change this?
Hello LHerzog ,Thank you for reaching out to the community, may we know which encryption profile are you using is it IKEv1 or IKEv2 ? And on both the sites XG is configured or on remote it is a different device ?
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
it is IKEv1 as remote responder is the Sophos UTM.
Ahan ! I would recommend the use of IKEv2 over IKEv1 and set the Key Negotiation Tries to 0. But unfortunately UTM 9 does not support IKEv2, hence you can not change !Such type of issue wouldn't occur if remote site is also configured with XG instead of UTM 9.As there are many benefits IKEv2 provides the following benefits over IKEv1.
Thanky for your update but I see no reason why it should depend on IKE. XG should just terminate and reconnect after the change. But this is something it does'nt. Why does it work when I only click on connect? That is what the machine logic should do.
IKEv2 is more reliable as all message types are defined as Request and Response pairs, IKEv2 has Built-in NAT-T functionality which improves compatibility between vendors & IKEv2 has the Keep Alive option enabled as default. Also IKEv2 provide the ability for maintaining a VPN session. When you click on connect, the initiation is began again and hence you are able to connect, where as IKEv2 has a better capability handling such connections. In short as informed above there are various benefits using IKev2 over IKev1
Vivek Jagad said:there are various benefits using IKev2 over IKev1
I totally agree. But it seems you see no need for improvement XG behaviour also for IKEv1. That is soemthing I would really like to see.