VPN with Drayteks constant disconnects

Hi Andrej,

Thank you for reaching out to Sophos Community.

Kindly check the following similar post 

community.sophos.com/.../site-to-site-vpn-problem-invalid-spi

Hi again,

two days later still weird problems on VPN.

The packets dropping was an issue on XGS, it was port failure, and we replaced whole unit with new XGS.

Now the issue with IPSec VPN tunnels remains:

• Some of Site2Site IPSec VPN tunnels keep disconnecting and connecting every 1-2 minutes, while other tunnels are rock stable, not even one single disconnect. All are configured the same.
• Another problem is one server within LAN, which dials out OpenVPN tunnel by itself. It also keeps dropping every now and then. And I can see a ton of these errors in IPSec Logs. I have no idea what VPN this relates to...is it one of VPN tunels configured on Sophos, or is it the one, which only traverses it?
  

  messageid="18050" log_type="Event" log_component="IPSec" log_subtype="System" status="Deny" user="" con_name="" con_type="0" src_ip="" gw_ip="" local_network="" dst_ip="" remote_network="" additional_information="" message="Received IKE message with invalid SPI (CC85BCAE) from the remote gateway." 

  What could this be caused by?

Hi Andrej Pirman ,

Around this time of the log, could you get the /log/charon.log and see if there is any disconnect being initiated by either SFOS or Draytek and what is the possible reason for disconnect?

Take any one tunnel that is experiencing frequent disconnects, and correlate the logs on Draytek and SFOS around the disconnect time; 

Regarding timers: if you set the IPsec tunnel on Draytek as Initiator (assuming each of Dratek are Initiators aka Branches), keep the tunnel as 'Responder' (Head office) on SFOS; on Draytek use less value for Phase1 and Phase2 values in comparison with the Phase1 and Phase2 values of SFOS. This will ensure each IKE level rekey is always done by Draytek and collision of IKE rekey by Draytek and SFOS is avoided, that would cause tunnel instability/disconnects.

OpenVPN and the log you mentioned "Received IKE message with invalid SPI" are two different things and unrelated. 

You may ignore - "Received IKE message with invalid SPI" message, in case if some unknown sender tries to initiate IKE session to your SFOS and if there is no relevant config present on your SFOS, then such incoming packets are considered as invalid and gets dropped.

Hi Sreenivasulu Naidu ,

thank you for explanation! 

Yes, I have used all IKE rekey and rey expiration values lower on Sophos (Responder) and higher on Drayteks (Branch offices, initiators). By comparing logs we suspect DPD might be causing troubles, so we created test profile without DPD and will see logs tomorrow.

You should use lower phase1 rekey value on the Initiator tunnels (on Draytek) compared to responder tunnel (on SFOS); similarly phase2 rekey value.

You should use lower phase1 rekey value on the Initiator tunnels (on Draytek) compared to responder tunnel (on SFOS); similarly phase2 rekey value.

Oh, after 2 weeks we simply bought 2 new XGS routers and replaced old Drayteks. We thought problems solved....until owner of another company nearby knocked on our door when we were messing up with routers, asking, if maybe we did something to his surveilence system. 

As times matched up, and despite being absolutelly surprised, no, we cannot influence your internet, they are on different optic fibres, each has own ISP modem...but we examined situation and found out, that somehow someone in some moment in time cross-linked LAN ports on our's optical modem with our Draytek via surveilence system's swtich in their office. And there was a loop, occasional IP conflict, occasional DHCP server failure, all probably due to this loop.

At the end, we resolved the loop, rewired some cablings, and with new XGS we ended up having almost 10-fold VPN speed compared to those old Drayteks.