Meraki

Community

IPSEC / Site-to-Site VPN problem with Sophos XGS

Solved
Robin777
Here to help
‎Feb 17 2025 4:49 AM
‎Feb 17 2025 4:49 AM

IPSEC / Site-to-Site VPN problem with Sophos XGS

Hey all,

I have a strange IPSEC/ Site-to-Site VPN issue.

 

Initial a VPN tunnel works from Meraki MX to Sophos XGS.

After Phase 1 lifetime is reached, only one SA is alive, others are gone.

Restarting the tunnel helps until lifetimes ends.

The tunnel is not getting ready/active when new traffic is generated.

 

Please do not wonder why my lifetimes are that low. I had issues with tunnel with 28800 seconds. Troubleshooting was really time consuming, so I changed multiple times to lower values.

 

I have other tunnels to Azure with multiple networks, and this tunnel(s) are working.

Azure <-> Meraki

Azure <-> Sophos XGS

Meraki <-> Sophos XGS (not working)

 

EDIT: I was using IKEv2....

 

To avoid conflicts I have also created fake VLANs on my Meraki site.

 

First screenshot. After enabling the tunnel

Robin777_3-1739795654801.png

Second screenshot: After 10 minutes when Phase 1 has ended

Robin777_4-1739796303353.png

 

Sophos IKEv2 settings

 

Robin777_1-1739795095483.png

 

Meraki IKEv2 settings

 

Robin777_2-1739795134510.png

 

 

Labels:
0 Kudos
1 Accepted Solution
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 17 2025 11:21 AM
‎Feb 17 2025 11:21 AM

>After Phase 1 lifetime is reached, only one SA is alive, others are gone.

 

On Meraki you can only have one IKEv2 SA subnet pair active at a time.  IKEv1 does not have this restriction.  You'll need to change to IKEv1.

View solution in original post

7 Replies 7
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 17 2025 5:05 AM
‎Feb 17 2025 5:05 AM

Hi ,


What MX firmware are you using ? I found that MX 19.1.X fixed a lot of our NMVPN issues.

0 Kudos
In response to RaphaelL
Robin777
Here to help
‎Feb 17 2025 5:10 AM
‎Feb 17 2025 5:10 AM

A wild mix of MX 18.211.4, MX 18.211.5, MX 18.211.2

With all of them I had problems. I have seen that you have really many devices in another thread. How is 19.1.X ?

0 Kudos
In response to Robin777
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 17 2025 5:14 AM
‎Feb 17 2025 5:14 AM

Unfortunatly I don't have many sites with NMVPN , so only a few were upgraded to MX 19.X . All my other devices are also running a mix of MX 18. 

 

But so far so good with MX 19.X.  That might be worth trying on a site / lab on your end if possible.

0 Kudos
In response to RaphaelL
Robin777
Here to help
‎Feb 17 2025 6:05 AM
‎Feb 17 2025 6:05 AM

I am currently preparing a lab environment. Still waiting for new hardware. I give it a try and maybe S2S is stable with this firmware.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 17 2025 11:21 AM
‎Feb 17 2025 11:21 AM

>After Phase 1 lifetime is reached, only one SA is alive, others are gone.

 

On Meraki you can only have one IKEv2 SA subnet pair active at a time.  IKEv1 does not have this restriction.  You'll need to change to IKEv1.

In response to PhilipDAth
cmr
Kind of a big deal
Kind of a big deal
‎Feb 17 2025 11:32 AM
‎Feb 17 2025 11:32 AM

What @PhilipDAth said is the answer.

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
In response to cmr
Robin777
Here to help
‎Feb 17 2025 11:50 AM
‎Feb 17 2025 11:50 AM

You are killing me.... it works with IKEv1 instantly.... I am now waiting until lifetime ends the second time.

Edit: It works now for the fourth time. Thanks a lot for the information, hopefully the team may change it in future to work the same way with IKEv2 . 🙂

Robin777_0-1739821983808.png

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.