Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec site-to-site Reauthentication

How do I enable reauthentication for site-to-site IPSec connections ?

Sophos XGS3100, SFOS 19.5.3 MR-3-Build652



This thread was automatically locked due to age.
Parents
  • Thank you for the response.

    I think I need to elaborate the situation a bit more.

    I am initiating the connection to a remote (not under my administration) Endian firewall.

    My key-lifetime is much lower than the responders. The tunnel is working fine. Rekeying works fine.

    When the peer reaches its key lifetime it disconnects the tunnel, forcing a reconnect.

    I am assuming (based on laboraty testing) that the peer wants reauthentication. But I don't see any AUTH_LIFETIME in my logs, as opposed to my test setup.

    I guess that's the main issue.

    I was hoping there is an "easy" way to set reauth=yes in my configuration files to prevent this disconnect.

    Furthermore, when the peer disconnects, it is initiating a connection too (which would be fine on it's own), but not "correctly". The Endian firewall is using "multi-selector" configuration, somewhat explained here: https://my.f5.com/manage/s/article/K96223265.

    But Sophos doesn't seem to understand that and only connects one part of the tunnel, resulting in a non working setup.

  • Could you show us your current IPsec Profile for Encryption you use?

    __________________________________________________________________________________________________________________

  • i find 1800 sec for the Phase2 key lifetime a short amount of time? Is this a requirement by the peer? 

    __________________________________________________________________________________________________________________

Reply Children
No Data