17.5.3 MR3 - creating an IPSec connection damages the configuration of the Sophos Connect server

Question

I have a very serious problem with router running under 17.5.3 MR3 firmware. Previously we have configured dozens of IPSec site-to-site connections with preshared key. All of them were created in previous versions of the firmware and after migration to 17.5 worked without any problems. 
 Unfortunately now, at the moment when I add a new IPSec connection with preshared key, the configuration of the Sophos Connect server is dispersed. An attempt to establish a VPN connection with it ends with an "Incorrect pre-shared key" error. As I've checked, this effect only occurs using preshared keys, the same connection created using RSA keys does not cause errors. That preshared key itself is 10 characters long and does not contain any special characters 
 It does not help generate a new configuration file in Sophos Connect and upload it to the client, nor try to change the preshared key to another one on the router. The only solution is to restore the router configuration from backup. 
 What can I do with this? Is this a known bug in this firmware version? Will help me return to the earlier version of the firmware?

KingChris · Accepted Answer

Hi Detlef Halbritter 
 The XG does not support preshared key probing. What this means is that if you have 2 IPsec tunnels, which would include Sophos Connect Client and L2TP, with the same local and remote endpoints, generally remote endpoints being "*" or "any", any PSK change is applied to all of them. 
 This is the way the XG has been for some time. To overcome this, your only option is to decide on which IPsec technology you want to use, and stick with that for your end users. You could also transition to SSL VPN which is not affected. 
 For site-to-site connections, do not use "*" as the remote endpoint. Use an actual IP address or FQDN. You can utilize a dynamic DNS for the remote side which will then be a solution to. However its always recommended to use static IPs where possible for site-to-site deployments. 
 In the interests of not continuing on old threads, if you have a problem I would suggest you create your own post. 
 Thanks!

MichalKawecki · Answer

I found the cause of the problem. The .tgb file with the old Sophos Connect configuration contains the PSK key in an encrypted form, e.g. Authentication = "8Yj$N&B". However, the new tgb file - generated after updating PSK in the IPSec connection - contains the same key, but in the form of plain text: Authentication = "abcdefg" 
 It seems that this is a firmware error.

MichalKawecki · Answer

My problem with the NO_PROPOSAL_CHOSEN error has also been solved, thank you again for your help. It turned out that after changing the PSK key also changed the encryption method used by the Sophos Connect server. What's more, the newly generated configuration file for the client contained incorrect settings, which resulted in an error as above when attempting to set up the connection. 
 Solution to this problem - according to received instructions - is given below: 
 If you are using scx file then edit the file and change the proposals line "proposals": "aes256-sha2_256-modp4096", to: "proposals": "aes256-sha2_256-ecp256" 
 If you are using the tgb file then replace all instance of GRP2 with GRP19. There are six lines that will be changed. 
 
 Best regards, Michal