I had a S2S VPN between a XGS2100 (18.5.3) and XG125 (19.0.1)
After upgrading both Sites for 19.5 GA the VPN connection crashes 2-3 times a week.The VPN is up and connected, but no traffic is routed from S2S, only a manual disconnect and reconnect will fix this.
Where do i start to fix a random S2S VPN error / routing error / etc... ?
Can i switch strongswan into debug mode for a week and wait for the next bug?
Or is there any way to find this inside the normal logs?
Can you disable IPsec acceleration on the console?
OK, i did disable IPsec (users will kill me) ...
Is there any log, that will show the culprit now?
Isn´t the XGS designed to use IPSec acceleration in Hardware and shouldn´t 19.5 using it now?
I see that the new 19.5 offers a newIPSec Profile 'Branch office (IKEv2) 'with invalid naming convention.
But with IKeV2 and the Rock Solid S2S Tunnel still has the old 'Branch office (IKEv1)' Profile.
Is this a new stable profile?
so you are saying, we changed your profile after the update? And the new profile is not working? Did you or the upgrade migrate the profile?
No, there is no change in the profile during the update process.
I only see new IKEv2 Profiles, i think they are new and maybe they are more stable in 19.5 than the old default profiles.I might swap the profile for my VPN Tunnel HO-BO and use IKEv2
We had default HO/BO profile for IKEv1 so far and only one IKEv2 profile.
The customer uses same (IKEv2) profile for HO and BO both locations, which leads to re-key collision in some cases and hence we have introduced a new default IKEv2 profile for HO and BO with similar fine tuning of re-key timer/DPD action etc.
If you are running IKEv1 based HO/BO profile its fine, recommendation is to switch to new IKEv2 HO/BO policy if you are currently using Default IKEv2 policy on both end.
Hope this helps.
I used default IKEv1 on both sides and it was stable until 19.5
So i will switch to IKEv2 and see.
Thanks for reply, there is no issue if you keep using IKEv1policy in v19.5.
We may need to get this investigated, if you have already opened support case let me know the case ID.
If you can open support access to both your devices and PM me the access IDs, I can get this investigated by our engineering team.
Sorry for hijacking this thread a bit, but since my firewalls don't have the 19.5 yet could someone just share screenshots of the HO/BO IKEv2 policies?
Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Sometimes I post some useful tips on my blog, see blog.pijnappels.eu/category/sophos/ for Sophos related posts.
Hey apijnappels ,Here is the screenshot and also check the TIP on the bottom right for DPD settings:
Thanks & Regards,_______________________________________________________________
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
I changed the S2S to IKEv2 using the default HO/BO Value.
cost me a few nerves, because the firewall was down for a few minutes.