Shopping Cart

No products in the cart.

Sophos Firewall – Troubleshooting and resolving IPsec connections

IPsec Site-to-Site (S2S) connections are an essential part of many networks, especially when it comes to securely connecting different locations. However, if such a connection is not stable or cannot be established in the first place, this can have a serious impact on the entire network communication. This article is aimed at IT administrators who are looking for solutions to common IPsec problems on the Sophos Firewall. The steps and commands that can be used for troubleshooting are described below.

Why IPsec connections can cause problems

IPsec connections can become unstable or fail for various reasons. Common causes are

  • Incorrect network configurations on both sides of the tunnel
  • Non-matching IKE versions
  • Mismatches in the connection IDs
  • Faulty preshared keys
  • Incorrectly configured firewall rules

These problems can have a serious impact on the functionality of the VPN connection and require careful troubleshooting.

First steps: Logs and debugging

Before identifying and solving specific problems, it is crucial to gather the right information. Logs and debugging tools available on the Sophos Firewall can help with this.

Monitor real-time logs

To get a detailed insight into the running IPsec service, it is helpful to monitor the logs in real time. This can be done with the following command in the CLI of the Sophos Firewall:

tail -f /log/strongswan.log | grep azure-vpn


This command filters the log entries according to the specific tunnel (in this example “azure-vpn”) and only displays the relevant information. This is particularly useful to see what exactly happens during the connection setup or in the event of errors.

Activate debug mode for the StrongSwan service


If the standard logs are not sufficient to diagnose the problem, the debug mode of the Strongswan service can be activated. This provides more detailed information:

service strongswan:debug -ds nosync


The debug mode provides a deeper insight into the processes of the IPsec service, which facilitates the diagnosis of complex problems.

⚠️ The IPsec log can quickly take up a lot of storage space on the SSDs, so debug mode should be deactivated again immediately after the analysis.

Common problems and how to solve them

Once the logs and debug information have been collected, you can start to identify and fix specific problems.

Incorrect traffic selectors

A common problem with IPsec connections is that the traffic selectors (also known as security associations or SA) on both sides of the tunnel do not match. This can lead to the tunnel not being set up correctly. It is important to ensure that the networks that are to be connected via the tunnel are configured identically on both sides.

No IKE configuration found

Another problem occurs if the IKE versions on both sides of the connection do not match. If this is the case, the connection is not established and an error message appears in the log. You should check whether the IKE versions on both firewalls match and adjust them accordingly.

Peer authentication failed

If peer authentication fails, this is often due to mismatched connection IDs. You should ensure that the local and remote connection IDs are configured correctly on both sides. These IDs must be identical so that phase 1 of the connection can be successfully completed.

No traffic through the IPsec tunnel

If the tunnel is established but no traffic is passed through, the problem is often due to the firewall rules. You should make sure that the rules are configured correctly to allow the VPN traffic. In addition, you should check that the priority of the VPN and static routes is set correctly to ensure that the traffic is routed through the tunnel.

Invalid HASH_V1 payload

An invalid HASH_V1 payload usually indicates an incorrect preshared key. You should check the preshared key on both firewalls to ensure that they match. An incorrect key means that the connection cannot be authenticated and thus prevents the tunnel from being set up successfully.

Conclusion

Troubleshooting IPsec connections on Sophos Firewall can be complex, but with the right tools and methods it is possible to identify and fix most problems. By monitoring the logs in real time and activating debug mode, you can obtain the necessary information to specifically search for the cause of connection problems. If you know the most common problems and their solutions, you will be able to operate IPsec connections stably and reliably.

However, if problems occur that cannot be resolved, it may be helpful to collect the logs with TCPDump for analysis and forward them to us or Sophos Support for further assistance.

Further assistance

If troubleshooting the IPsec connection on the Sophos Firewall continues to cause difficulties, there are additional resources that may be helpful. These include detailed instructions and common troubleshooting solutions:

These sources provide valuable insights and can help to successfully solve persistent problems with IPsec connections.