Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 39 subscribers
  • Views 1044 views
  • Users 0 members are here
Options
Suggested

Sophos XGS IPSEC PSK and remote ID issue

admin_idl

Hello, we have set up several Policy Based IPSEc tunnels. These have different remote gateways, but some of them have the same remote IDs. Some connections crash after a certain time. Could this be due to the PSK in conjunction with the remote ID? As soon as I enter this again and save the connection, this connection can be used again.

The connection terminates as soon as the key lifetime is reached. Would it be possible to work with a DNS name instead of an IP address as the remote ID?

Thank you very much



Added TAGs
[edited by: Erick Jan at 7:57 AM (GMT -7) on 16 Jul 2024]
Parents
  • 0

    Hi,

    Thank you for reaching out to Sophos Community.

    Using DNS instead of IP address as a remote ID is possible. 

    Also, what are the error logs you are encountering?

    Erick Jan
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos Product Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

  • 0 in reply to Erick Jan

    We are getting this error.


    2024-07-16 08:12:22Z 30[NET] <923713> received packet: from 
    2024-07-16 08:12:22Z 30[ENC] <923713> invalid ID_V1 payload length, decryption failed?
    2024-07-16 08:12:22Z 30[ENC] <923713> could not decrypt payloads
    2024-07-16 08:12:22Z 30[IKE] <923713> message parsing failed
    2024-07-16 08:12:22Z 30[ENC] <923713> generating INFORMATIONAL_V1 request 3225514557 [ HASH N(PLD_MAL) ]
    2024-07-16 08:12:22Z 30[IKE] <923713> ID_PROT request with message ID 0 processing failed

  • 0 in reply to admin_idl

    The error log shown suggests that there is authentication issue. Possibly hitting PSK overwritten issue as the tunnels come up first time and fails to come up during rekey.

    Either remove local id/remote id configs on all the Ipsec gateways or switch to IKEv2 to make use of ID fields during authentication.

    Ipsec gateways with ikev1 uses only local and remote gw IP addresses for PSK authentication; it means, even if local-id or remote-id fields are configured, they will not be used during Authentication; Reason: Peer IDs are not known to Ipsec gw during Authentication, it comes later.

    Also, ensure the I mentioned about phase1/phase2 timers should be less on Initiator (is SFOS initiator or responder ?) compared to  Responder? This is to ensure Initiator having control on the rekey behaviour; this will not cause any Authentication issue, but a recommended config.

    Go through the IPSec best practices documentation available on web and follow those suggestions.

Reply
  • 0 in reply to admin_idl

    The error log shown suggests that there is authentication issue. Possibly hitting PSK overwritten issue as the tunnels come up first time and fails to come up during rekey.

    Either remove local id/remote id configs on all the Ipsec gateways or switch to IKEv2 to make use of ID fields during authentication.

    Ipsec gateways with ikev1 uses only local and remote gw IP addresses for PSK authentication; it means, even if local-id or remote-id fields are configured, they will not be used during Authentication; Reason: Peer IDs are not known to Ipsec gw during Authentication, it comes later.

    Also, ensure the I mentioned about phase1/phase2 timers should be less on Initiator (is SFOS initiator or responder ?) compared to  Responder? This is to ensure Initiator having control on the rekey behaviour; this will not cause any Authentication issue, but a recommended config.

    Go through the IPSec best practices documentation available on web and follow those suggestions.

Children
No Data
Unfiltered HTML