{"id":161429,"date":"2024-09-03T10:07:44","date_gmt":"2024-09-03T09:07:44","guid":{"rendered":"https:\/\/www.avanet.com\/?post_type=kb&p=161429"},"modified":"2024-09-03T10:08:39","modified_gmt":"2024-09-03T09:08:39","slug":"sophos-firewall-ipsec-remote-access-timeout-after-4-hours","status":"publish","type":"kb","link":"https:\/\/www.avanet.com\/en\/kb\/sophos-firewall-ipsec-remote-access-timeout-after-4-hours\/","title":{"rendered":"Sophos Firewall – IPsec remote access timeout after 4 hours"},"content":{"rendered":"\n

This article explains why an IPsec remote access timeout occurs after 4 hours and how this problem can be solved.<\/p>\n\n

For IPsec Remote Access, a timeout of 4 hours is set by default on the Sophos Firewall.\nIn this case, the Sophos Connect Client loses the connection to the firewall and the user must re-establish the connection. <\/p>\n\n

If the Sophos Connect Client has configured users with a one-time password (OTP), the user is prompted to enter a new OTP every 4 hours by default.\nThis is because the Sophos Connect Client uses the DefaultRemoteAccess policy, which can be changed via the graphical user interface.\nThe default value for ikekeylife is 18000 <\/p>\n\n

Sophos Firewall Log<\/h2>\n\n

These errors in the VPN log show that the connection was interrupted due to an expired IKE key.\nThe invalid SPI (Security Parameter Index) refers to an expired or invalid IKE phase 1 session. <\/p>\n\n

VPN 2023-12-12 06:33:48 IPSec Deny Received IKE message with invalid SPI (421B67D8) from the remote gateway. 18050\nVPN 2022-12-12 06:33:47 IPSec Deny Received IKE message with invalid SPI (13B56627) from the remote gateway.18050\nVPN 2022-12-12 06:33:46 IPSec Deny Received IKE message with invalid SPI (EDA41714) from the remote gateway.18050<\/code><\/pre>\n\n
Customize IPsec VPN timeout via Sophos Firewall GUI<\/h2>\n\n
In the VPN profiles you will find the DefautlRemoteAccess certificate and can clone it and adjust the value accordingly.<\/p>\n\n
\n
\"Sophos<\/a>
Sophos Firewall – IPsec Profiles DefaultRemoteAccess – Key life<\/figcaption><\/figure>\n\n\n\n
\"Sophos<\/a>
Sophos Firewall – IPsec Profiles DefaultRemoteAccess<\/figcaption><\/figure>\n<\/figure>\n\n
Then you just have to select the new certificate in the Remote Access IPsec settings and distribute the new config to the users.<\/p>\n\n
Adjust IPsec VPN timeout via Sophos Firewall console<\/h2>\n\n
With an IKE_SA lifetime value of 18000, IKE_SA re-encryption occurs approximately every 4 hours and re-authentication also occurs along with IKE_SA re-encryption, prompting users to enter a new OTP.<\/p>\n\n
If the customer requirement is that the user should be prompted to enter a new OTP every “n” hours, then use the following equation to determine the appropriate ikekeylife value if n=10 (i.e. 10 hours)<\/p>\n\n
ikekeylife = (n +1) * 3600\nikekeylife = (10 +1) * 3600 = 39600\nikekeylife = 39600<\/strong><\/code><\/pre>\n\n
\n
Note: The maximum value for “n” should not be greater than 23.<\/p>\n<\/blockquote>\n\n
Connect to the Sophos Firewall via SSH, e.g. via Putty, and enter 5 and then 3 to access the Advanced Shell.<\/p>\n\n
psql -U nobody -d corporate -c \"update tblvpnpolicy set ikekeylife=<\/em>39600<\/em><\/strong>\u00a0where policyid=5;\"<\/em><\/code><\/pre>\n\n
Afterwards, you only have to restart the IPsec VPN service on the firewall and redistribute the config file to the clients.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"template":"","format":"standard","kb_kategorie":[382],"class_list":["post-161429","kb","type-kb","status-publish","format-standard","hentry","kb_kategorie-sophos-firewall"],"blocksy_meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb\/161429","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb"}],"about":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/types\/kb"}],"author":[{"embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/users\/1"}],"wp:attachment":[{"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/media?parent=161429"}],"wp:term":[{"taxonomy":"kb_kategorie","embeddable":true,"href":"https:\/\/www.avanet.com\/en\/wp-json\/wp\/v2\/kb_kategorie?post=161429"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}