Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 23234 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I keep my site-to-site IPsec VPN allways up?

RoccoCapra

I have created an IPsec VPN between two XG firewalls with appropriate policies to get the networks talking to each other just fine. Everything works as I need it to EXCEPT...the vpn disconnects after the "Key Life" seconds time out. initially it was set to an hour and I bumped it up to 86400 seconds (24 hours) but this is very frustrating since i need the connection to be up 100%.

Is there a majic number to get this to allways be up? Or should I be using SSL or an other type of VPN??



This thread was automatically locked due to age.
  • 0

    I think you need to look in the IPSec policy you're using.. There's an option in there to make it reconnect..

    I had to do that with mine.. Because everytime i restarted the XG it wouldn't connect to my UTM, but after i changed the policy it worked..

    I'm away from home, so i can't give you a screenshot of the setting, but i hope you will figure it out.

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • 0
    I think you need to look in the IPSec policy you're using.. There's an option in there to make it reconnect..

    I had to do that with mine.. Because everytime i restarted the XG it wouldn't connect to my UTM, but after i changed the policy it worked..

    I'm away from home so i can't give you a screenshot of the setting, but i hope you will figure it out.

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • 0 in reply to KennethHolmqvist
    For the policy, the "Action When Peer Unreachable" was/is set to "Re-initiate" on both sides.

    As for the two offices; the main office VPN's "Action on VPN Restart" is set to "Respond Only".
    And the branch office is set to "Initiate".
  • 0
    After talking with Sophos support, finally, we changed the 'remote gateway' in the VPN setup to point to the IP address instead of the "name.dyndns.org" dns name.

    This may be an issue for clients that don't have static IPs.

    One thing I have not tested is changing the DNS servers. Right now they are set to the Provider's (TWC). Something to test in the future anyway.
Unfiltered HTML