IKEv2, Phase 2 tunnel with sophos firewalls not coming back up (even with ping keepalive)
-
we have 5 IPSec tunnels with Sophos firewalls on the other end, we are on 2.5.2 on our end.
there's 4 phase2 subnets in each tunnel.two are very busy and basically always have traffic going through, other two are not that busy and every now and then they don't come back up when traffic start again, at that point I don't see them listed in the child SA in the status tab anylonger, I still see the SPD tho, the other two "busy" tunnel keep working as expected.
one of the "sleepy" subnet that every now and then drops from phase2 is an openvpn subnet, the server is on the pfsense side.
logs seems to be free from errors.we don't have this problem with other tunnels with the same subnets with cisco asa and other pfsense boxes.
We tried adding a ping keepalive to no avail, the only thing that seems to work is restarting the remote sophos devices or restarting the tunnel on their end, at that point I see the sleepy subnets coming back up in the child SA status tab and it all works, for a while.
I can't really say how often or even if it drops regularly (during rekeys for example), but all of this seems to me it points to an incompatibility between strongswan and this particular model of sophos firewalls (it is the exact same models on all these tunnels), any suggestion?any known issues that somebody over here knows about? any suggestions as to config parameters that we may tweak to try to avoid this issue?
currently the main parameters are as following:
Phase1:
Protocol: AES (256 bits) / Transform: SHA256 / DH Group: 2 (1024 bit)
Lifetime: 28800
Child SA Start action: default
Child SA Close action: default
NAT Traversal: Auto
MOBIKE: disable
Split Connection: off
Gateway Duplicates: off
PRF Selection: off
DPD: offPhase2:
Mode: Tunnel IPv4
Protocol: ESP / Transform: AES (128 bits), AES128-GCM (128 bits) / Auth: SHA256 / PFS Key Group: 2 (1024 bit)
Lifetime: 3600