Sophos XGS IPSEC PSK and remote ID issue

Question

Hello, we have set up several Policy Based IPSEc tunnels. These have different remote gateways, but some of them have the same remote IDs. Some connections crash after a certain time. Could this be due to the PSK in conjunction with the remote ID? As soon as I enter this again and save the connection, this connection can be used again. 
 The connection terminates as soon as the key lifetime is reached. Would it be possible to work with a DNS name instead of an IP address as the remote ID? 
 Thank you very much

Sreenivasulu Naidu · Answer

The error log shown suggests that there is authentication issue. Possibly hitting PSK overwritten issue as the tunnels come up first time and fails to come up during rekey. 
 Either remove local id/remote id configs on all the Ipsec gateways or switch to IKEv2 to make use of ID fields during authentication. 
 Ipsec gateways with ikev1 uses only local and remote gw IP addresses for PSK authentication; it means, even if local-id or remote-id fields are configured, they will not be used during Authentication; Reason: Peer IDs are not known to Ipsec gw during Authentication, it comes later. 
 Also, ensure the I mentioned about phase1/phase2 timers should be less on Initiator (is SFOS initiator or responder ?) compared to Responder? This is to ensure Initiator having control on the rekey behaviour; this will not cause any Authentication issue, but a recommended config. 
 Go through the IPSec best practices documentation available on web and follow those suggestions.

Erick Jan · Answer

Hi, 
 Thank you for reaching out to Sophos Community. 
 Using DNS instead of IP address as a remote ID is possible. 
 
 IPsec (remote access) settings 
 
 Also, what are the error logs you are encountering? 
 
 Log Details

Sophos XGS IPSEC PSK and remote ID issue

Top Replies