Multiple IPSEC Tunnels with Combination of RSA and Preshared Keys.

Hi ywillie Thank you for reaching out to the Sophos community team, Without reviewing the logs it would be bit difficult to confirm why 3-4 sites tunnels not coming up with firewall reboot, reviewing the logs will help to conclude the issue and to confirm solution in a better way.

Sophos Firewall: Troubleshooting site to site IPsec VPN issues
community.sophos.com/.../sophos-firewall-troubleshooting-site-to-site-ipsec-vpn-issues

However if you suspect an issue is due to 1 same PSK being used and due to that reason you are thinking to switch those few problematic tunnels from PSK to RSA method then from SF OS V20, there are IPsec Enhancements that support unique PSK support for the same local and remote gateway connections.

For more info release note of V20 - community.sophos.com/.../sophos-firewall-v20-is-now-available

So far i tried the rsa method and i got this error. Same.. Tunnel would refuse to go up.

2024-01-03 02:29:04Z 25[NET] <555944> received packet: from 65.39.20.15[500] to 103.126.16.11[500] (256 bytes)
2024-01-03 02:29:04Z 25[ENC] <555944> parsed ID_PROT request 0 [ SA V V V V V V V V V ]
2024-01-03 02:29:04Z 25[IKE] <555944> received strongSwan vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received Cisco Unity vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received XAuth vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received DPD vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received NAT-T (RFC 3947) vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received draft-ietf-ipsec-nat-t-ike-03 vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received draft-ietf-ipsec-nat-t-ike-02 vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> received draft-ietf-ipsec-nat-t-ike-00 vendor ID
2024-01-03 02:29:04Z 25[IKE] <555944> 60.49.40.10 is initiating a Main Mode IKE_SA
2024-01-03 02:29:04Z 25[CFG] <555944> received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
2024-01-03 02:29:04Z 25[CFG] <555944> configured proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048, IKE:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_XCBC/PRF_AES128_CMAC/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/MODP_3072/MODP_4096/MODP_8192/MODP_2048
2024-01-03 02:29:04Z 25[IKE] <555944> no proposal found
2024-01-03 02:29:04Z 25[ENC] <555944> generating INFORMATIONAL_V1 request 3319343756 [ N(NO_PROP) ]
2024-01-03 02:29:04Z 25[NET] <555944> sending packet: from 103.126.16.11[500] to 65.39.20.15[500] (56 bytes)

The problem appears to be a mismatch between Phase 1 acceptable proposals between the two peers.

Encryption, Authentication, and DH group must match in order for the VPN to come up, peer IP must also match.

You have to investigate the configuration on both peers and make sure they match the settings. If they match the settings, the remote peer administrator has to investigate the problem on his side, since the remote firewall is refusing the connection.

hi. All authentication, encryption and DH group are matching over both side.
The issue lies with initiator is on a dynamic wan ip.
Responder is only responding to * 
Initiator is sending the request over to responder but somehow responder is confuse and does not know which responder to look at since i have dozens of intiators using dynamic ip.
This problem doesn't exist back in v17 and v18. It becomes a nightmare after v18.
I'm getting really frustrating over this.

may we know the current active firmware on the appliance ?

It's version SFOS 19.5.3 MR-3-Build652 . I'm really frustrated and upset over how sophos rolls out their latest firmware without considering the bugs that are in place. Each firmware put us more in trouble then with ease to setup.
We reach out to support, it routes us back to our vendor. And the irony thing about some vendors are not even properly trained to respond to such bugs. Because sophos wasn't even constantly engaging their vendors to ensure that they are equiped with the latest knowledge and known bugs solution to support customers.
Sophos is doing is simply one dimensional. Call that a cybersecurity solution experts. That's seriously rubbish.

I have to say these ipsec tunnels are no longer feasible with sophos constantly pounding in new firmwares that plague it with more issues. My only last effort is to ditch firewall entirely and look into ztna solution. 

If you are able to use dyndns names, you could use those instead of * as peer. Dyndns doesn't have to break the bank and it seems it will get you rid of all your current trouble.

If you are able to use dyndns names, you could use those instead of * as peer. Dyndns doesn't have to break the bank and it seems it will get you rid of all your current trouble.