Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IKEv2, Phase 2 tunnel with sophos firewalls not coming back up (even with ping keepalive)

    Scheduled Pinned Locked Moved IPsec
    1 Posts 1 Posters 380 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      nuclearstrength
      last edited by nuclearstrength

      we have 5 IPSec tunnels with Sophos firewalls on the other end, we are on 2.5.2 on our end.
      there's 4 phase2 subnets in each tunnel.

      two are very busy and basically always have traffic going through, other two are not that busy and every now and then they don't come back up when traffic start again, at that point I don't see them listed in the child SA in the status tab anylonger, I still see the SPD tho, the other two "busy" tunnel keep working as expected.

      one of the "sleepy" subnet that every now and then drops from phase2 is an openvpn subnet, the server is on the pfsense side.
      logs seems to be free from errors.

      we don't have this problem with other tunnels with the same subnets with cisco asa and other pfsense boxes.

      We tried adding a ping keepalive to no avail, the only thing that seems to work is restarting the remote sophos devices or restarting the tunnel on their end, at that point I see the sleepy subnets coming back up in the child SA status tab and it all works, for a while.
      I can't really say how often or even if it drops regularly (during rekeys for example), but all of this seems to me it points to an incompatibility between strongswan and this particular model of sophos firewalls (it is the exact same models on all these tunnels), any suggestion?

      any known issues that somebody over here knows about? any suggestions as to config parameters that we may tweak to try to avoid this issue?

      currently the main parameters are as following:

      Phase1:
      Protocol: AES (256 bits) / Transform: SHA256 / DH Group: 2 (1024 bit)
      Lifetime: 28800
      Child SA Start action: default
      Child SA Close action: default
      NAT Traversal: Auto
      MOBIKE: disable
      Split Connection: off
      Gateway Duplicates: off
      PRF Selection: off
      DPD: off

      Phase2:
      Mode: Tunnel IPv4
      Protocol: ESP / Transform: AES (128 bits), AES128-GCM (128 bits) / Auth: SHA256 / PFS Key Group: 2 (1024 bit)
      Lifetime: 3600

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.