Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 8 replies
  • Subscribers 40 subscribers
  • Views 3105 views
  • Users 0 members are here
Options
Suggested

Site to Site VPN Authentication on reboots - Change PSK works

Brennan Kostyniuk

I have multiple Sophos site to site VPN's back to a central router. Whenever any of the sites losing connection they all re-connect except for 1.

The Sophos VPN logs show "Couldn't authenticate the local gateway. Check the authentication settings on both devices."

Every time this happens the only way to get the tunnel back is to change the PSK on both sides.

The PSK is never changing on either side.

What would cause me to need to re-create the PSK after it restarts?



Edited TAGs
[edited by: Erick Jan at 11:08 PM (GMT -7) on 22 Oct 2024]
Parents Reply Children
  • +2 in reply to Mayur Makvana

      , Prior to v20 on SFOS, all IPsec (S2S - PBVPN and RBVPN and Remote Access) tunnels that has common local and remote gateways ("*" in the "remote gateway" field) should have same PSK. Changing PSK on any one of the connections or when new tunnel configured with existing common local and remote gateways (PortX, *) with a different PSK will overwrite the PSK of all the existing tunnels. 

    If your SFOS is on v20 or above and IPsec tunnel uses IKEv2, to overcome such limitation, you can use IDs filed (Local ID/ Remote ID) in IPsec config. This helps having different PSKs for different tunnels when remote gateway=* .  Please try this and let us know if authentication issue resolves.

Unfiltered HTML