IPSec Site to Site VPN Disconnection

Question

Hello, 
 I have setup a site to site IPsec VPN between a Sophos XG (Responder) & a DrayTek (Initiator) router. Everything is working as it should apart from a disconnection every so often. I believe this has something to do with the re-key event that stated in part 3 of below knowledge article. 
 Sophos Firewall: Best practice for site-to-site policy-based IPsec VPN 
 I have kept the default key life setting on the XG. Phase 1 = 5400 & Phase 2 = 3600 and have copied to the DrayTek's side. On the XG, I have disabled "Re-key Connection" & "Dead Peer Detection". Both XG and DrayTek are using AES256 SHA2256 for Phase 1 and Phase 2. 
 I have even changed the key life on the DrayTek's side to something different to test. But I'm still getting the same disconnection errors. 
 Disconnection error "Name -1 - IPSec Connection Name-1 between XXX.XX.XXX.XXX and XXX.XXX.XX.XXX for Child Name-1 terminated. (Remote: XXX.XX.XXX.XXX)" 
 Message ID = "17802" 
 Any ideas? 
 Thank you =)

Bharat J · Answer

Hi Jason G 
 You may refer to the following KB for troubleshooting 
 
 Sophos Firewall: Troubleshooting site-to-site IPsec VPN issues and https://www.draytek.com/support/knowledge-base/5201 
 Check with local-id and remote-id if not added to the IPSec VPN Policy and check it is same on both the devices 
 Make sure you are working on the latest firmware version of Sophos as well as DrayTek router. 
 Change Sophos XG (Initiator ) & a DrayTek (Responder) router might help 
 
 Thanks and Regards

Sreenivasulu Naidu · Answer

Re-key connection on Respnder node is generally not recommended to ensure only Initiator does the rekey. 
 Jason G , I would like to see the logs on Dreytek and SFOS when the issue happens. The configs you posted on Dreytek and SFOS looks good to me; also, you mentioned Phase1 and Phase2 key values are higher than the values used on Dreytek - this is recommeded.

IPSec Site to Site VPN Disconnection

Top Replies