We have UTM 9 and firmware version is 9.603-1. We have established a VPN connection to Azure. We have already one other connection to our branch We could not find the reason but it starts to give duplicate message problems and then the connection is dropping with Azure. It happend every 2-4 days.
2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to 22.214.171.124:500
2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x02000000 (perhaps this is a duplicated packet) 2019:07:10-15:18:45 utm pluto: "S_REF_IpsSitAzure_0" #397: sending encrypted notification INVALID_MESSAGE_ID to *:500
If vpn is working , there is no error message and everthing is working fine.
We are using policy based routing and we have tried to connect with Route based policy with Azure we could not connect the Azure. Microsoft says that, Route based policies are much stable compared to policay based route.
Can somebody suggest some resolution for this ? Thanks in advance.
Hi Sedat and welcome to the UTM Community!
Is the UTM behind a NAT?
Cheers - Bob
Nope sophos is connecting directly to internet and the other side is Azure Virtual network gateway and policy based connection.
Lets take a step back.
UTM does not support Route based VPN "on UTM site".
Route based VPN and Policy Based VPN are techniques to route your VPN on your device. It has literally no impact on the other site of the VPN tunnel.
SO basically you could connect a Route based VPN gateway to a UTM (Policy Based) and it perfectly work.
It is important to understand, that the IPsec SAs has to build up, and the traffic will be routed.
Azure now, has some kind of limitation.
So basically if you want to use the Route Based VPN in Azure, you have to use IKEv2, which is not supported by UTM. So you have to use the Policy based VPN method on Azure site to build up a tunnel, because policy based supports IKEv1.
Route based VPN does not have only Advantages. You would create Interface for each Tunnel.
Take a look at the bigger deployments of Route based VPNs with X.000 Tunnels.
Lucar you did very good help again. I see you are very active in everywherw.
I did not want to say UTM does not support route baded vpn. I told in limitation about my case which I am trying to connect sophos and azure with basic vpn functionality.
I eill search for x.000 tunnels , ı havrnt used for many years.
For me, getting IKEv2 support for Sophos UTM9 would really help us out but seeing traces on roadmaps of two years old and "planned" and not seeing anything concrete makes me doubt that it will still come. Sure it was stated again on a specific version but then there are rumours that it moves to next year (2020?). It's an issue for us right now and it might result in replacing our Sophos router. Not sure if we would still opt for the brand though if we proceed with that option.
I've set up a policy based VPN connection between Azure and Sophos UTM9 (our office) but we also have other sites (Amazon, other offices) that need to connect to the same VNET on Azure in the end and thats now causing me trouble in terms of what the architecture should look like.
The other sites can all use an Azure based VPN1 Gateway (Route based) type so our Sophos UTM9 is the only one that cannot leverage this option which means I have a need for at minimum two Virtual Networks since one VNET on Azure can only contain one Gateway.
So I have VNET1 -> Policy Based Gateway, VNET2 -> VPN1 Route Based Gateway and VNET3 where my application resides.
I cannot have bidirectional peering between them all. VNET peering on Azure only allows the use of one VNET that contains a gateway.
I cannot do VNET-to-VNET on the VNET where the Sophos UTM9 is connected to because the policy based Gateway on Azure allows only "one connection".
If I use VNET peering on the VNET1 (between VNET1 and VNET3) then I cannot do VNET-to-VNET between VNET2 and VNET3 because the VNET peering gets in the way of setting up the VNET-to-VNET connectivity.
A complete burden and a hassle to be honest. Replacing Sophos UTM9 by a device that can do IKEv2 would solve the above architectural challenge because then I can use one gateway and have VNET peering between that VNET and the VNET where my application resides.
I tried for the sake of trying to see what happens and I could see in the log files that IKEv2 is ignored thus "not supported" and the tunnel will never get established.
The IPsec VPN log should point this out.
Policy Based connection (Basic VPN Gateway) to Azure works fine but this gives us other architectural challenges having to connect multiple sites.
Hoi Tom and welcome to the UTM Community!
I think I remember some Sophos employee comment that getting XG to do IKEv2 was more difficult than expected and resulted in postponing IKEv2 for the UTM.
That said, XG does do IKEv2 and Sophos would let you "upgrade" your UTM to XG without losing any of the time on your remaining subscriptions. You might take a look at that and ask Sophos Sales for a recommendation of a Partner that has strong experience in XG and UTM if you current reseller does not.
Please let us know what you wind up doing.
Thanks for your welcome note and feedback.
Well, the architecture I had in mind seems to be impossible due to restrictions that also exist on Azure in terms of networking so either I'll need another router or I need to leverage another route. Feedback I got from our Cloud Service Provider is that my thoughts are correct and that the architecture that I would need is currently not supported on Azure. That's unfortunate, as on Amazon AWS it would not be any problem at all.
Since we do have an Amazon AWS environment which is connected to Azure already, Route Based, I was thinking that I might, for the time being, leverage that route instead and go from our office -> Amazon AWS -> Azure. We are the hosting / support party for the customer. I don't want to have the latency on customer side, their offices should ideally be branched directly to Azure, on our side it's less of a problem as long as we can do our work properly.
By doing that I can avoid the need for two VNET's with different Virtual Network Gateways on Azure and have one hub VNET and one spoke VNET (for the moment) and use VNET peering there and keep on using our Sophus UTM9 router for the time being.
This will most likely be an interim solution as it's not ideal either and I would like to be connected also directly, with a minimal amount of latency.
Getting feedback from other SAP partners and customers, they seem to point me in the direction of Fortigate in terms of features/functions/management/security as being a preferred option for us. So far I was very happy with our Sophos UTM9 router, it was configured by a partner and the first couple of VPN tunnels were created together after which I could completely do everything on my own. It's not our core business (SAP is) so the fact that I can quickly pick it up, configure it, get it to work and go beyond "easy" configuration means something. So I don't know yet to be honest what we will do. I will look into our options in terms of replacing the router be it by another Sophos device or another brand.
We have solved the problem but actually we could not find how it is solved. :(
We have open the case to Sophos and they look all the logs but as fas I know, they did not touch anything on Sophos and it works very well. After two - three weeks, even there is a VPN is up, communication is stopped between local and azure, we need to turn it off and on and everything is fine.
For short, I want to say my thanks to Sophos they are very helpful and give very quick responses. It is great to see that.
Yes, UTM does not support Route based policies with Azure.
I guess the most problematic part is, there are not enough logs exist in Azure side to track. You have to open every log in Sophos side to understand problem.
Thanks for all supporters
Sedat EKSI Hi,
Can you share if you know how the route based VPN was setup on the UTM, i am in exactly the same position architecturally i need Expressroute Gateway and VPN Gateway that supports route based. As you say the Basic SKU is not support for ER and VPN Coexistance?
The UTM is not IKEv2 nor route based compatible.You will have to convert Azure to use an IKEv1 Policy based routing which i'm not sure is even available any more, you will have to move to the XG if you want to do this.
Toni's link above is no longer valid. Does anyone know the solution to avoiding Azure disconnecting after "IKE message has the Commit Flag set but Pluto doesn't implement this feature; ignoring flag" appears in the IPsec log?