We have UTM 9 and firmware version is 9.603-1. We have established a VPN connection to Azure. We have already one other connection to our branch We could not find the reason but it starts to give duplicate message problems and then the connection is dropping with Azure. It happend every 2-4 days.
2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to 188.8.131.52:500
2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) 2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to *:500
If vpn is working , there is no error message and everthing is working fine.
We are using policy based routing and we have tried to connect with Route based policy with Azure we could not connect the Azure. Microsoft says that, Route based policies are much stable compared to policay based route.
Can somebody suggest some resolution for this ? Thanks in advance.
Hi Sedat and welcome to the UTM Community!
Is the UTM behind a NAT?
Cheers - Bob
Nope sophos is connecting directly to internet and the other side is Azure Virtual network gateway and policy based connection.
This could work.
Just to be sure, i talked about this in context XG in this Thread.
Maybe this KBA needs a Update: https://community.sophos.com/kb/en-us/126995
FloSupport Could you take a look?
Thanks for your all support. I want to say some important things as I think.
1. The connection establishes and works for at least 2 days without problems. Minimum 3 days up to now. So key exchanges are working properly, maksimum 27000 seconds as you can see configuration screenshot
2. Route based VPN is not supported by UTM as far as I know. It is not written in any official document, Actually ı could nıt find for reverse but we tried there was no log about error; UTM says it is going to connection after some trials like 20 as I guess it leaves the connection but there is no real explanation in which stage the the problem is.
3. UTM is not listed in Microsoft supported VPN device list
Sophos is very responsive, they are also taking care of case. Meanwhile Any support is welcome and thanks again
Lets take a step back.
UTM does not support Route based VPN "on UTM site".
Route based VPN and Policy Based VPN are techniques to route your VPN on your device. It has literally no impact on the other site of the VPN tunnel.
SO basically you could connect a Route based VPN gateway to a UTM (Policy Based) and it perfectly work.
It is important to understand, that the IPsec SAs has to build up, and the traffic will be routed.
Azure now, has some kind of limitation.
So basically if you want to use the Route Based VPN in Azure, you have to use IKEv2, which is not supported by UTM. So you have to use the Policy based VPN method on Azure site to build up a tunnel, because policy based supports IKEv1.
Route based VPN does not have only Advantages. You would create Interface for each Tunnel.
Take a look at the bigger deployments of Route based VPNs with X.000 Tunnels.
Lucar you did very good help again. I see you are very active in everywherw.
I did not want to say UTM does not support route baded vpn. I told in limitation about my case which I am trying to connect sophos and azure with basic vpn functionality.
I eill search for x.000 tunnels , ı havrnt used for many years.
For me, getting IKEv2 support for Sophos UTM9 would really help us out but seeing traces on roadmaps of two years old and "planned" and not seeing anything concrete makes me doubt that it will still come. Sure it was stated again on a specific version but then there are rumours that it moves to next year (2020?). It's an issue for us right now and it might result in replacing our Sophos router. Not sure if we would still opt for the brand though if we proceed with that option.
I've set up a policy based VPN connection between Azure and Sophos UTM9 (our office) but we also have other sites (Amazon, other offices) that need to connect to the same VNET on Azure in the end and thats now causing me trouble in terms of what the architecture should look like.
The other sites can all use an Azure based VPN1 Gateway (Route based) type so our Sophos UTM9 is the only one that cannot leverage this option which means I have a need for at minimum two Virtual Networks since one VNET on Azure can only contain one Gateway.
So I have VNET1 -> Policy Based Gateway, VNET2 -> VPN1 Route Based Gateway and VNET3 where my application resides.
I cannot have bidirectional peering between them all. VNET peering on Azure only allows the use of one VNET that contains a gateway.
I cannot do VNET-to-VNET on the VNET where the Sophos UTM9 is connected to because the policy based Gateway on Azure allows only "one connection".
If I use VNET peering on the VNET1 (between VNET1 and VNET3) then I cannot do VNET-to-VNET between VNET2 and VNET3 because the VNET peering gets in the way of setting up the VNET-to-VNET connectivity.
A complete burden and a hassle to be honest. Replacing Sophos UTM9 by a device that can do IKEv2 would solve the above architectural challenge because then I can use one gateway and have VNET peering between that VNET and the VNET where my application resides.