IPSec VPN to Draytek do not reconnect randomly

Question

Hi, 
 I have XGS-126 as IPSec VPN client, calling Draytek router as VPN server. I also tried to reverse sides , but the problem remains the same. 
 From time to time, very randomly, it might be once every 2-3 weeks, or even so frequently like 4 times in 1 hour, VPN tunnel drops and does not re-establish connection. Sometimes manually clicking the red VPN dot establishes connection, but sometimes not. 
 Sophos LOGS are not helping me to diagnose, just a lot of: 
 IKE message retransmission to <Draytek IP> timed out. Check if the remote gateway is reachable. 
 I have VPN Profile settings just mirrored, what's on Draytek side: 
 
 IKE Phase 1, Re-key connection = ON 
 DPD = ON 
 DPD check every: 60 seconds 
 DPD When Peer Unreachable = Re-initiate 
 Dos Protection = OFF 
 DoS & Spoof exceptions added for both IPs as source and destination 
 
 When there was Draytek - Draytek VPN, on the same lines, VPN was rock-stable, never ever had problems. 
 Ideas welcome.

Raphael Alganes · Answer

Hi Andrej Pirman , 
 Good day and thanks for reaching out to Sophos Community and hope you are well. 
 Few queries 
 Was this previously working before and not having any issues? 
 If yes, 
 -does a firmware upgrade happened and then this issue occured (if yes-from which firmware to which firmware?) - was there any configuration changes on either ends? or any ISP change/downtime on either ends? 
 Kindly check as well, if DPD policy is configured as Re-initiate:

Additionally you may Kindly check this IPsec S2S Troubleshooting guide for issues: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/SiteToSiteVPN/t_VPNIPsecSiteToSiteTroubleShootCommonErrors/index.html 
 Hope this helps. Thanks for your time and patience and thank you for choosing Sophos 
 Cheers,

emmosophos · Answer

Hello Andrej, 
 Thank you for the update. 
 They&rsquo;re "duplicated entries" what happens is when somebody marks an answer as suggested, it moves to the Top of the Post. Hence, it&rsquo;s easier/faster to identify a suggested/valid answer in the post. (Usually, the first Suggested answer will only show until there&rsquo;s a verified answer (Green) 
 You should see "TOP Replies" on the Top left part. 
 As per your issue, I would recommend you to get a case open with Support for them to investigate along with you, I suspect that the issue might be related to IPsec acceleration (you can try to disable it from the console of the Sophos Firewall via Putty (4) and running 
 console> system ipsec-acceleration disable 
 However, this would be only a workaround and not a solution. 
 Regards,

Andrej Pirman · Answer

PROBABLY SOLVED! 
 With extensive help from Bharat J (thank you very much!) we came to conclusion, that VPN tunnel between Sophos and Draytek is only problematic, when Sophos is initiating connection to Draytek. So we reversed the direction of VPN tunnel, but still there were problems with dropouts. Indded tunnel dropped down every 30 minutes or so, but if Draytek was initiator, it came back every time. It was a workaround. 
 Then I investigated Draytek Firmware and found out, that just recently Draytek found some IPSec Phase 1 and 2 incosistencies and they published new Firmware. With this new firmware on Draytek, VPN tunnel did not drop down anymore, and after either side rebooting or loosing connectivity, it re-initiated successfuly. 
 I suspect Draytek had an issue with dropping VPN tunnel in such a way, that only another Draytek was able to re-initiate, but Sophos did not. But as told, after Draytek firmware update, this seems is not an issue anymore.

IPSec VPN to Draytek do not reconnect randomly

Top Replies