Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 4 subscribers
  • Views 4783 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Working IPsec site to site VPN won't restart after reboot

Jean Thibodeau

Am running Sophos UTM ver 9.705-3 and have an IPsec site to site VPN with Sonicwall TZ300 (which is set to "initiate connection") that works well until I reboot the Sophos.

After rebooting the Sophos, I've watched the sonicwall keep retrying to reconnect for well over 5 mins with no answer back. At the sophos end, the VPN live log only shows the following entries and won't budge until I do something to the VPN, e.g. toggle on/off, change a setting, etc. then it reconnects no problem:

2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface br0/br0 192.168.2.2:500

2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface br0/br0 192.168.2.2:4500
2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface lo/lo 127.0.0.1:500
2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface lo/lo 127.0.0.1:4500
2021:02:20-11:58:48 lyneutm pluto[5866]: adding interface lo/lo ::1:500
2021:02:20-11:58:48 lyneutm pluto[5866]: loading secrets from "/etc/ipsec.secrets"
2021:02:20-11:58:48 lyneutm pluto[5866]: loaded PSK secret for <local FQDN> < remote FQDN> 
2021:02:20-11:58:48 lyneutm pluto[5866]: listening for IKE messages
2021:02:20-11:58:48 lyneutm pluto[5866]: added connection description "S_JT VPN"
2021:02:20-11:58:48 lyneutm pluto[5866]: "S_JT VPN": we have no ipsecN interface for either end of this connection

(I've inserted the <local FQDN> and <remote FQDN> to replace the actual values.)

I've tried with Dead Peer Connection both on and off with same result.

Is there a known issue with IPSec VPN restarts at reboot? Is there something I may have configured wrong?

Any info would be appreciated.



This thread was automatically locked due to age.
Parents
  • 0

    I should add there's no problem going the other way, i.e. when Sonicwall end goes down and restarts the tunnel gets re-established no problem

  • 0 in reply to Jean Thibodeau

    Salut Jean,

    I assume that the Sophos side is set to respond only?

    BAlfson, didn‘t you say that both ends could be set to „initiate connection“?

    I would try that first.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.



    Typos corrected
    [edited by: jprusch at 5:05 PM (GMT -8) on 21 Feb 2021]
  • 0 in reply to PhilippRusch

    Hi Philipp, thanks for the reply. I don't see a way to set Sophos end to "respond only", or, for that matter, to initiate. I only see option to set initiate/respond for remote site - in my case a sonicwall that is set to initiate.

    Here's a screenshot of the Sophos connection config tab, and two below is Sophos Remote Gateway tab, where I could have chosen "Respond Only" but chose "Initiate Connection" 

  • 0 in reply to Jean Thibodeau

    Salut Jean,

    once defined, you cannot change the behaviour of the remote GW object from "initiate connection" to "respond only". You have to recreate it or define another object and then associate this with your connection.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch

    I haven't changed anything with respect to who initiates and who responds because everything works fine until I reboot the Sophos. Then the VPN will not restart. Upon restart the Sophos should just respond to the other end's request, which I can see happens repeatedly but it doesn't. 

    It stops at "lyneutm pluto[5866]: "S_JT VPN": we have no ipsecN interface for either end of this connection"

    It seems like a bug to me but first seeing if anyone else has encountered this, and/or if there's another setting I'm not seeing that I have to turn on or off.

  • 0 in reply to Jean Thibodeau

    Something is definitely broken here. Try to create a new connection object with a different name AND a new Gateway object with a new name, too. Then delete the old entries after that. Is it working now?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Reply
  • 0 in reply to Jean Thibodeau

    Something is definitely broken here. Try to create a new connection object with a different name AND a new Gateway object with a new name, too. Then delete the old entries after that. Is it working now?

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

Children
No Data
Unfiltered HTML