Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos XGS IPSEC PSK and remote ID issue

Hello, we have set up several Policy Based IPSEc tunnels. These have different remote gateways, but some of them have the same remote IDs. Some connections crash after a certain time. Could this be due to the PSK in conjunction with the remote ID? As soon as I enter this again and save the connection, this connection can be used again.

The connection terminates as soon as the key lifetime is reached. Would it be possible to work with a DNS name instead of an IP address as the remote ID?

Thank you very much



This thread was automatically locked due to age.
Parents Reply
  • We are getting this error.


    2024-07-16 08:12:22Z 30[NET] <923713> received packet: from 
    2024-07-16 08:12:22Z 30[ENC] <923713> invalid ID_V1 payload length, decryption failed?
    2024-07-16 08:12:22Z 30[ENC] <923713> could not decrypt payloads
    2024-07-16 08:12:22Z 30[IKE] <923713> message parsing failed
    2024-07-16 08:12:22Z 30[ENC] <923713> generating INFORMATIONAL_V1 request 3225514557 [ HASH N(PLD_MAL) ]
    2024-07-16 08:12:22Z 30[IKE] <923713> ID_PROT request with message ID 0 processing failed

Children
  • The error log shown suggests that there is authentication issue. Possibly hitting PSK overwritten issue as the tunnels come up first time and fails to come up during rekey.

    Either remove local id/remote id configs on all the Ipsec gateways or switch to IKEv2 to make use of ID fields during authentication.

    Ipsec gateways with ikev1 uses only local and remote gw IP addresses for PSK authentication; it means, even if local-id or remote-id fields are configured, they will not be used during Authentication; Reason: Peer IDs are not known to Ipsec gw during Authentication, it comes later.

    Also, ensure the I mentioned about phase1/phase2 timers should be less on Initiator (is SFOS initiator or responder ?) compared to  Responder? This is to ensure Initiator having control on the rekey behaviour; this will not cause any Authentication issue, but a recommended config.

    Go through the IPSec best practices documentation available on web and follow those suggestions.