New Sophos Support Phone Numbers in Effect July 1st, 2023

New S2S can't connect

MO: XGS136/SFOS v19,5,2. Not in production yet, setting up to replace production firewall.

BO: XG115/SFOS v19.5.2. In production.

MO & BO have had an IPSec S2S running for a long time with the MO production firewall.

The MO XGS that will replace the MO firewall is on a separate WAN IP & LAN IP from the production firewall, and I'm using that to get the BO S2S's set up ahead of migration to the XGS.

MO & BO are using identical IPSec Policies on the production firewall, and to simplify migration, I've used the same Policies and PSKs. At the BO, I cloned the old S2S to create the new S2S, changing only the remote WAN IP.

Another BO with an XG115 is working fine. But this one can't connect.

Old S2S disabled during testing. BO initiates on the new S2S. When I review the VPN Logs for both firewalls, I don't see any connection attempts. When I look at a packet capture at the BO, I see every inbound and outbound IKE UDP/500 packet is denied ("Rule 0").

I disabled and re-enabled the new S2S but there was no change.

Why would the BO firewall be denying IKE for an enabled S2S and how can I fix it? I guess I can create a custom firewall rule for it, but should I need to? Never needed one before.

Edited TAGs
[edited by: Erick Jan at 12:18 AM (GMT -7) on 25 May 2023]