Help IPSEC VPN DISCONNECTS AND NOT ABLE TO AUTOCONNECT WHEN BRANCH SITE BOOT THEIR VPN ROUTER during MOrning
Helo , hope all is well, please help me on this concern ,
-IPSEC VPN are disconnected when turnoff the BRANCH VPN ROUTER (CISCO RV SERIES) - Normal
-IPSEC VPN not autoconnect / established when the BRANCH VPN ROUTER is reboot / turnon
my work around is : RE ENTER THE PRESHARED KEY and the TUNNEL goes UP
But this is hassle everyday I refreshed the tunnel
Let me rephrase this:
If you have 3 tunnel for example. One is with IP 188.8.131.52. Tunnel 2 and 3 have remote gateway * (Wildcard).
Tunnel 1: PSK 123456
Tunnel 2: PSK Secret
Tunnel 3 PSK SuperSecret
Do you have multiple IPsec Tunnel and all Respond only? Are all of them using Wildcard (*) for Remote Gateway and you have different IPsec PSKs?
HI Lucar Toni, Thanks for asking
Here are my response to your verifications
1. Do you have multiple IPsec Tunnel and all Respond only? :
Ans : We Have More Or Less 150+ IPSEC tunnel (HEADOFFICE-XG.Firewall and BRANCH-Third.Party.VPN Router) , and yes XG is set to Response Only
2. Are all of them using Wildcard (*) for Remote Gateway? :
Ans: Yes (but I have at least less than 20 IPsec Tunnel that are set to STATIC IP (These are stable)
3. You have different IPsec PSKs? :
Ans: Yes , At least 10 different PSKs (assigned to different IPsec Tunnel
- Looking forward that you could help me to further figure out on this.
Do you get a alert, your PSK will be overwritten? Sounds like your PSK is not correct, as XG will overwritte all PSKs with * Remote Gateway.
here is the message I get when I re- enter the presahared key every morning , and after that the tunnel will now connected until the Third Party (Branch ) VPN router is turn off
As XG cannot separate the Connection between each other, it cannot use different PSKs for the connections. There needs to be a separation filter to give XG the possibility to know, which PSK it should use for each connection. If not given, XG will update all Tunnels, which are likely the same connection to the same PSK.
Workarounds: Use Remote and Local ID Type identifier in the tunnel.
Use the same PSK for those tunnels.
Use a DDNS for those tunnels and do not use * (Wildcard).
Your method work, because you are changing the PSK for the connection initialization and the SAs are established. So the tunnel does not know, that the PSK changed in the backend. Until the connection drops and tries to re establish.
HI LuCar looking forward for our possible help, can You private message me for ease of communication ?
LuCar Toni said: that the PSK changed in the backend
What do you mean with this ? You might me the answer to my long term issue on XG
XG can now identify Tunnel 1 with IP 184.108.40.206 and use PSK 123456 for this Tunnel.
If you create Tunnel 2, you can use PSK Secret. If you create Tunnel 3 and use PSK SuperSecret, XG will notice, it cannot separate Tunnel 2 and Tunnel 3 and has to use PSK SuperSecret for Tunnel 2 and Tunnel 3.
Its about the method to recognize, Which Tunnel should be used for this connection.
What you are doing right now: You are always save the PSK Secret, build the tunnel 2. As ReKeying will apply, the PSK is only used to build up the tunnel. Afterwards you save SuperSecret for other tunnels. You are overwriting constantly the PSK in the XG Backend to build up tunnels.
Best practice to avoid such issues would be:
Use a DDNS for the wildcard Tunnels, if they have a dynamic IP.
Use the same PSK for all tunnels or move to RSA /Certificate.
Use Local and Remote ID.
This is well explained i will apply those inputs and let you know, This is big help
ISSUE RESOLVED , Thanks for yhe big help i have fine stable IPSEC tunnel stable connection , I applived "Use Local and Remote ID. "