Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 39 subscribers
  • Views 1327 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec site to site vpn, one tunnel goes down frequently

Lennart Johansson

Hi,

I have a Sophos XGS107 (SFOS 20.0.1 MR-1-Build342) setup with Site to Site vpn to a Mikrotik router.

There is 4 vpn tunnels (or separate address pairs), It mostly works fine, but every other day one tunnel goes down. If I check in webgui >> site to site vpn, active is green and most of the time connection is green. But if I check in "i" then one address pair is yellow and no traffic pass.

I have 3 Sophos UTM 9 with the exact same setup to same Mikrotik Router, and they never goes down.

The only error message I see is

First,

IPSec Terminated  Couldn't parse IKE message from x.x.x.93[500]. Check the debug logs.

Then

IPSec Failed  IPSec_VPN_-1 - Couldn't parse IKE message from x.x.x.93[500]. Check the debug logs. (Remote: x.x.x.93)

Perhaps the setup is a bit daft, behind the Sophos SGX thereare 4 networks, 1 local lan and 3 remote lans the is connected on a separate link..

Users on the local lan needs to connect to a server behind the Mikrotik router and the server behind the Mikrotik router need to connect to servers on the remote lans behind the Sophos FW.

Should I have two separate vpn tunnels, one with the sophos as remote office and one with sophos as Head office? Just related to who initiate the traffic

I do think it should work anyway.

It's setup with following settings

Policy settings



This thread was automatically locked due to age.
  • 0

    Hi @Lennart Johansson, Most likely the log - 'Couldn't parse IKE message from' is seen due to mismatched PSKs. This will usually occur when there are multiple responder tunnels configured with '*' (star notation) in the remote gateway filed as it overrides the PSK of earlier configured tunnels with the latest tunnel's psk and authentication fails for the earlier configured tunnels in the next rekey time.. Is all your tunnels on SFOS set as Initiators?

    Is it possible to switch to IKEv2 (if Microtik router supports) and use local id or remote id configuration fields so that PSKs of different tunnels can be different.

    Or try with keeping the PSKs same for all the tunnels. Let us know if this helps.

Unfiltered HTML