Remote Access IPSec VPN disconnects

Question

Our Remote Access IPSec VPN is disconnecting when the IKE SA lifetime is met. 
 The IPSec policy is set to defaults (with strict policy checked) IKE SA lifetime &ndash; 7800 
 IPsec SA lifetime - 3600 Sophos IPSec Client log: 
 9/15/2017 8:21:04 PM - ERROR - 4035: IKE(phase1):Disconnect due to rekey failure. Sophos UTM IPSec log: 
 2017:09:15-20:21:02 hostname pluto[30292]: "IPSEC VPN-0"[2] 36.X.X.X:10954 #17: max number of retransmissions (2) reached STATE_XAUTH_R1 
 2017:09:15-20:21:02 hostname pluto[30292]: "IPSEC VPN-0"[2] 36.X.X.X:10954: deleting connection "IPSEC VPN-0"[2] instance with peer 36.X.X.X {isakmp=#0/ipsec=#0} 
 Is this normal behavior for an IPSec Remote Access VPN to disconnect after the IKE SA lifetime is met? At the end of the IKE SA lifetime, isn&rsquo;t it supposed to re-authenticate and compare policies? Why is it disconnecting after the IKE SA lifetime?

BAlfson · Accepted Answer

Isn't this a different issue than before? Then, the client connected, but did not reconnect after the IKE SA Lifetime expired. Here, there's no initial connection. The only thing that jumps out at me is: 
 2017:10:12-22:33:14 hostname pluto[9428]: "D_IPSEC-VPN-4"[1] 34.X.X.X:10952 #1: NAT-Traversal: Result using RFC 3947: both are NATed 
 Is the UTM is behind a NAT? If so, you will have challenges with IPsec. The only way this might work is with a preshared key. On the 'Advanced' tab, select 'Enable probing of preshared keys', 'VPN ID type: IP address' and put the public IP in 'VPN ID' instead of letting the IPsec server "sign" packets by default with the private IP of "External (Address)'. Did that work for you? 
 Cheers - Bob

BAlfson · Answer

I always prefer certs, so with AWS, I prefer SSL VPN Remote Access. For an X509 site-to-site IPsec tunnel between an instance in AWS and a UTM with a public IP, configure the AWS instance with an "Initiate connection" and the UTM with a "Respond only" Remote Gateway. 
 Cheers - Bob