Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 2199 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS IPSEC PSK and remote ID issue

admin_idl

Hello, we have set up several Policy Based IPSEc tunnels. These have different remote gateways, but some of them have the same remote IDs. Some connections crash after a certain time. Could this be due to the PSK in conjunction with the remote ID? As soon as I enter this again and save the connection, this connection can be used again.

The connection terminates as soon as the key lifetime is reached. Would it be possible to work with a DNS name instead of an IP address as the remote ID?

Thank you very much



This thread was automatically locked due to age.
  • 0

    Hi,

    * What are the SFOS versions being used?

    * Are these connections IKEv1 or V2?

    * what do you mean by "connections crash" ? - are they going down?

    * what are the rekey timers being used on Initiator and responder SFOS nodes? we recommend to use well separated Phase1, Phase2 rekey times between Initiator and Responder and keep initiator timers smaller than responder's timers.

    * Are you using * in the remote gateway filed when the tunnel is of responder type?

    ID (local or remote) can have DNS name, ID field when configured will only work for IKEv2 type of tunnels.

  • 0

    Hi,

    Thank you for reaching out to Sophos Community.

    Using DNS instead of IP address as a remote ID is possible. 

    Also, what are the error logs you are encountering?

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Sreenivasulu Naidu

    Hello, 

    SFOS 20.0.0 is used. The connections are IKEv1.
    By "connection crahs" I mean that the connections go down and no longer work. After saving them again, the connections work again.

    The counterpart are Fortigate firewalls.

    Phase 1 Key lifetime: 7800
    Re-Key margin: 360

    Phase 2:
    Key life: 3600

    we do not use * in the connections. What do you mean by "ID field when configured will only work for IKEv2 type of tunnels"?

  • 0 in reply to Erick Jan

    We are getting this error.


    2024-07-16 08:12:22Z 30[NET] <923713> received packet: from 
    2024-07-16 08:12:22Z 30[ENC] <923713> invalid ID_V1 payload length, decryption failed?
    2024-07-16 08:12:22Z 30[ENC] <923713> could not decrypt payloads
    2024-07-16 08:12:22Z 30[IKE] <923713> message parsing failed
    2024-07-16 08:12:22Z 30[ENC] <923713> generating INFORMATIONAL_V1 request 3225514557 [ HASH N(PLD_MAL) ]
    2024-07-16 08:12:22Z 30[IKE] <923713> ID_PROT request with message ID 0 processing failed

  • 0 in reply to admin_idl

    The error log shown suggests that there is authentication issue. Possibly hitting PSK overwritten issue as the tunnels come up first time and fails to come up during rekey.

    Either remove local id/remote id configs on all the Ipsec gateways or switch to IKEv2 to make use of ID fields during authentication.

    Ipsec gateways with ikev1 uses only local and remote gw IP addresses for PSK authentication; it means, even if local-id or remote-id fields are configured, they will not be used during Authentication; Reason: Peer IDs are not known to Ipsec gw during Authentication, it comes later.

    Also, ensure the I mentioned about phase1/phase2 timers should be less on Initiator (is SFOS initiator or responder ?) compared to  Responder? This is to ensure Initiator having control on the rekey behaviour; this will not cause any Authentication issue, but a recommended config.

    Go through the IPSec best practices documentation available on web and follow those suggestions.

Unfiltered HTML