This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Site to Site VPN Disconnection

Hello,

I have setup a site to site IPsec VPN between a Sophos XG (Responder) & a DrayTek (Initiator) router. Everything is working as it should apart from a disconnection every so often. I believe this has something to do with the re-key event that stated in part 3 of below knowledge article.

 Sophos Firewall: Best practice for site-to-site policy-based IPsec VPN 

I have kept the default key life setting on the XG. Phase 1 = 5400 & Phase 2 = 3600 and have copied to the DrayTek's side. On the XG, I have disabled "Re-key Connection" & "Dead Peer Detection". Both XG and DrayTek are using AES256 SHA2256 for Phase 1 and Phase 2.

I have even changed the key life on the DrayTek's side to something different to test. But I'm still getting the same disconnection errors.

Disconnection error "Name-1 - IPSec Connection Name-1 between XXX.XX.XXX.XXX and XXX.XXX.XX.XXX for Child Name-1 terminated. (Remote: XXX.XX.XXX.XXX)"

Message ID = "17802"

Any ideas?

Thank you =)



This thread was automatically locked due to age.
Parents Reply Children
  • Hi Jason G 

    You may refer to the following KB for troubleshooting

    Thanks and Regards

    "Sophos Partner: Networkkings Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • Hi Bharat,

    I have already looked at those 2 links you provided. It does not address the issue I'm experiencing, and the local-id and remote-id are the same at both ends.

    To clarify the issue, the current configuration works between an XG and an XG, there's no disconnections. With the DrayTek however, the connection is terminated after X amount of time, then re-establishes itself after X amount of time. This appears to occur throughout the day.

    I still believe this is caused by re-keying. But I've followed the recommendations as stated below.

    3. Phase 1 and phase 2 re-key shouldn't happen at same time

    On any VPN gateway, phase 1 SA (a.k.a IKE SA) and phase 2 SA (a.k.a IPsec / CHILD SA) should not be re-keyed at the same time, otherwise, the VPN will be disconnected on every phase 1 re-key.

    Phase 1 and phase 2 will be re-keyed at the same time, if phase 1 key life can be divisible by phase 2 key life, for example, phase 1 key life is 43200 seconds, and phase 2 key life is 3600 seconds. (43200 / 3600 = 12).

    No need to worry about it on the Sophos Firewall, as the Sophos Firewall provides the option of "Re-key margin", and the default setting of phase 1 keylife is fine.