How do I enable reauthentication for site-to-site IPSec connections ?
Sophos XGS3100, SFOS 19.5.3 MR-3-Build652
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
How do I enable reauthentication for site-to-site IPSec connections ?
Sophos XGS3100, SFOS 19.5.3 MR-3-Build652
Thank you for the response.
I think I need to elaborate the situation a bit more.
I am initiating the connection to a remote (not under my administration) Endian firewall.
My key-lifetime is much lower than the responders. The tunnel is working fine. Rekeying works fine.
When the peer reaches its key lifetime it disconnects the tunnel, forcing a reconnect.
I am assuming (based on laboraty testing) that the peer wants reauthentication. But I don't see any AUTH_LIFETIME in my logs, as opposed to my test setup.
I guess that's the main issue.
I was hoping there is an "easy" way to set reauth=yes in my configuration files to prevent this disconnect.
Furthermore, when the peer disconnects, it is initiating a connection too (which would be fine on it's own), but not "correctly". The Endian firewall is using "multi-selector" configuration, somewhat explained here: https://my.f5.com/manage/s/article/K96223265.
But Sophos doesn't seem to understand that and only connects one part of the tunnel, resulting in a non working setup.
Thank you for the response.
I think I need to elaborate the situation a bit more.
I am initiating the connection to a remote (not under my administration) Endian firewall.
My key-lifetime is much lower than the responders. The tunnel is working fine. Rekeying works fine.
When the peer reaches its key lifetime it disconnects the tunnel, forcing a reconnect.
I am assuming (based on laboraty testing) that the peer wants reauthentication. But I don't see any AUTH_LIFETIME in my logs, as opposed to my test setup.
I guess that's the main issue.
I was hoping there is an "easy" way to set reauth=yes in my configuration files to prevent this disconnect.
Furthermore, when the peer disconnects, it is initiating a connection too (which would be fine on it's own), but not "correctly". The Endian firewall is using "multi-selector" configuration, somewhat explained here: https://my.f5.com/manage/s/article/K96223265.
But Sophos doesn't seem to understand that and only connects one part of the tunnel, resulting in a non working setup.
Why not set your key-lifetime for the tunnel to same size as peers?
Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Could you show us your current IPsec Profile for Encryption you use?
__________________________________________________________________________________________________________________
i find 1800 sec for the Phase2 key lifetime a short amount of time? Is this a requirement by the peer?
__________________________________________________________________________________________________________________
Hi osterhagen
Sophos Firewall only supports time-based rekeying. If you configured traffic-based rekeying on the third-party remote firewall, change it to time-based rekeying.
Example values are as follows:
Key life | Firewall 1 | Firewall 2 |
---|---|---|
Phase 1 | 12600 seconds | 10800 seconds |
Phase 2 | 5400 seconds | 3600 seconds |
Regards
"Sophos Partner: Networkkings Pvt Ltd".
If a post solves your question please use the 'Verify Answer' button.