This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Help IPSEC VPN DISCONNECTS AND NOT ABLE TO AUTOCONNECT WHEN BRANCH SITE BOOT THEIR VPN ROUTER during MOrning

Help IPSEC VPN DISCONNECTS AND NOT ABLE TO AUTOCONNECT WHEN BRANCH SITE BOOT THEIR VPN ROUTER during MOrning

 

Helo , hope all is well, please help me on this concern ,

 

Scenario

-IPSEC VPN are disconnected when turnoff the BRANCH VPN ROUTER (CISCO RV SERIES) - Normal

-IPSEC VPN not autoconnect  / established when the BRANCH VPN ROUTER is reboot / turnon

 

my work around is : RE ENTER THE PRESHARED KEY and the TUNNEL goes UP

 

But this is hassle everyday I refreshed the tunnel

 



This thread was automatically locked due to age.
Parents
  • Do you have multiple IPsec Tunnel and all Respond only? Are all of them using Wildcard (*) for Remote Gateway and you have different IPsec PSKs? 

    __________________________________________________________________________________________________________________

  • HI Lucar Toni, Thanks for asking 

    Here are my response to your verifications

    1. Do you have multiple IPsec Tunnel and all Respond only? :

    Ans : We Have More Or Less 150+ IPSEC tunnel (HEADOFFICE-XG.Firewall  and BRANCH-Third.Party.VPN Router)  , and yes XG is set to Response Only

    2. Are all of them using Wildcard (*) for Remote Gateway? :

    Ans: Yes (but I have at least less than 20 IPsec Tunnel that are set to STATIC IP (These are stable)

    3. You have different IPsec PSKs?  :

    Ans: Yes , At least 10 different PSKs (assigned to different IPsec Tunnel

    - Looking forward that you could help me to further figure out on this. 

  • Do you get a alert, your PSK will be overwritten? Sounds like your PSK is not correct, as XG will overwritte all PSKs with * Remote Gateway. 

    __________________________________________________________________________________________________________________

Reply Children
  • here is the message I get when I re- enter the presahared key every morning , and after that the tunnel will now connected until the Third Party (Branch ) VPN router is turn off

  • As XG cannot separate the Connection between each other, it cannot use different PSKs for the connections. There needs to be a separation filter to give XG the possibility to know, which PSK it should use for each connection. 
    If not given, XG will update all Tunnels, which are likely the same connection to the same PSK. 

    Workarounds: Use Remote and Local ID Type identifier in the tunnel. 

    Use the same PSK for those tunnels.

    Use a DDNS for those tunnels and do not use * (Wildcard). 

    Your method work, because you are changing the PSK for the connection initialization and the SAs are established. So the tunnel does not know, that the PSK changed in the backend. Until the connection drops and tries to re establish. 

     

    __________________________________________________________________________________________________________________

  • HI LuCar looking forward for our possible help,  can You private message me for ease of communication ? 

  • that the PSK changed in the backend

    What do you mean with this ?  You might me the answer to my long term issue on XG

  • Let me rephrase this: 

    If you have 3 tunnel for example. One is with IP 1.2.3.4. Tunnel 2 and 3 have remote gateway * (Wildcard). 

    Tunnel 1: PSK 123456

    Tunnel 2: PSK Secret

    Tunnel 3 PSK SuperSecret

    XG can now identify Tunnel 1 with IP 1.2.3.4 and use PSK 123456 for this Tunnel. 

    If you create Tunnel 2, you can use PSK Secret. If you create Tunnel 3 and use PSK SuperSecret, XG will notice, it cannot separate Tunnel 2 and Tunnel 3 and has to use PSK SuperSecret for Tunnel 2 and Tunnel 3. 

    Its about the method to recognize, Which Tunnel should be used for this connection. 

    What you are doing right now: You are always save the PSK Secret, build the tunnel 2. As ReKeying will apply, the PSK is only used to build up the tunnel. Afterwards you save SuperSecret for other tunnels. You are overwriting constantly the PSK in the XG Backend to build up tunnels. 

    Best practice to avoid such issues would be: 

    Use a DDNS for the wildcard Tunnels, if they have a dynamic IP. 

    Use the same PSK for all tunnels or move to RSA /Certificate. 

    Use Local and Remote ID. 

    __________________________________________________________________________________________________________________

  • Great!

    This is well explained i will apply those inputs and let you know, This is big help

  • ISSUE RESOLVED , Thanks for yhe big help i have fine stable IPSEC tunnel stable connection , I applived "Use Local and Remote ID. "