Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

VPN established but XFRM Gateway down on both sides

This is an issue that I have seen with multiple customers. The VPN connection as Tunnel interface is established. The XFRM is configured to be non-overlapping in any sense with other IP subnets on the Firewall. Even then the gateway shows down. Here is snapshot from one of our customers setup. Is there any solution for this? There are multiple threads on this forum about this issue but there seems to be no answer, anyone has been able to fix this?

Parents
  • And there is no SD-WAN route for "Internet"-Traffic?
    This SD-WAN-Route may be more powerful than a "directly connected network" and because 1.1.1.x normally is an "Internet"-destination the traffic to 1.1.1.x may be routed to the false direction.

    PS: is there an additional firewall in front of the destination? I have a CISCO ASA, which drops ESP-Traffic since Sophos made changes within IKE (IPSec-helper/-inspection didn't work any more)


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • I have tried 10.0.x.x/30 as well but that did not help, hence I tried 1.1.1.1. No there is no Firewall ahead of this Firewall. Also here the issue is not with the routing of traffic right now, its more about the Gateway being down due to which a fail-over rule will not work with this XFRM

Reply Children
No Data