Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions IPSec site-to-site Reauthentication

Sophos Firewall requires membership for participation - click to join

Thread Info

State Suggested Answer
Locked Locked
Replies 8 replies
Answers 1 answer
Subscribers 42 subscribers
Views 2870 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec site-to-site Reauthentication

osterhagen 10 months ago

How do I enable reauthentication for site-to-site IPSec connections ?

Sophos XGS3100, SFOS 19.5.3 MR-3-Build652

This thread was automatically locked due to age.

Top Replies

Bharat J 9 months ago in reply to osterhagen +1 suggested

Hi osterhagen Sophos Firewall only supports time-based rekeying. If you configured traffic-based rekeying on the third-party remote firewall, change it to time-based rekeying. Set the initiator's…

Parents

0 osterhagen 10 months ago

Thank you for the response.

I think I need to elaborate the situation a bit more.

I am initiating the connection to a remote (not under my administration) Endian firewall.

My key-lifetime is much lower than the responders. The tunnel is working fine. Rekeying works fine.

When the peer reaches its key lifetime it disconnects the tunnel, forcing a reconnect.

I am assuming (based on laboraty testing) that the peer wants reauthentication. But I don't see any AUTH_LIFETIME in my logs, as opposed to my test setup.

I guess that's the main issue.

I was hoping there is an "easy" way to set reauth=yes in my configuration files to prevent this disconnect.

Furthermore, when the peer disconnects, it is initiating a connection too (which would be fine on it's own), but not "correctly". The Endian firewall is using "multi-selector" configuration, somewhat explained here: https://my.f5.com/manage/s/article/K96223265.

But Sophos doesn't seem to understand that and only connects one part of the tunnel, resulting in a non working setup.
Cancel
Vote Up 0 Vote Down

Cancel
0 apijnappels 10 months ago in reply to osterhagen

Why not set your key-lifetime for the tunnel to same size as peers?

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 apijnappels 10 months ago in reply to osterhagen

Why not set your key-lifetime for the tunnel to same size as peers?

Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data