IPSec site-to-site Reauthentication

Hi osterhagen,

Thank you for reaching out to Sophos Community.

To verify, are you trying to re-establish the IPsec VPN? Have you tried to disconnect and then reconnect the Tunnel?

Hi osterhagen

Please refer Sophos Firewall: IPsec troubleshooting and most common errors 

Regards

Thank you for the response.

I think I need to elaborate the situation a bit more.

I am initiating the connection to a remote (not under my administration) Endian firewall.

My key-lifetime is much lower than the responders. The tunnel is working fine. Rekeying works fine.

When the peer reaches its key lifetime it disconnects the tunnel, forcing a reconnect.

I am assuming (based on laboraty testing) that the peer wants reauthentication. But I don't see any AUTH_LIFETIME in my logs, as opposed to my test setup.

I guess that's the main issue.

I was hoping there is an "easy" way to set reauth=yes in my configuration files to prevent this disconnect.

Furthermore, when the peer disconnects, it is initiating a connection too (which would be fine on it's own), but not "correctly". The Endian firewall is using "multi-selector" configuration, somewhat explained here: https://my.f5.com/manage/s/article/K96223265.

But Sophos doesn't seem to understand that and only connects one part of the tunnel, resulting in a non working setup.

Why not set your key-lifetime for the tunnel to same size as peers?

Could you show us your current IPsec Profile for Encryption you use?

i find 1800 sec for the Phase2 key lifetime a short amount of time? Is this a requirement by the peer? 

Hi osterhagen

Sophos Firewall only supports time-based rekeying. If you configured traffic-based rekeying on the third-party remote firewall, change it to time-based rekeying.

• Set the initiator's phase 1 and phase 2 key life values lower than the responder's.
• Set the phase 2 key life lower than the phase 1 value in both firewalls.

Example values are as follows: