IPSec site-to-site traffic not flowing after a while, even though link is up

[zstephen]

Hi all.

I have this odd issue with a site to site VPN, it's been happening for a few versions of both of my firewalls, but I suspect that it's being caused by the OPNSense side due to how I can fix the symptom.

Setup:
* Sophos XG(19.0.0 GA-Build317) and OPNsense (22.1.6-amd64) IPSec site to site VPN
* Both connecting via HFC with dynamic IPs and managing own Dynamic DNS
* Link can recover automatically in the case of internet outages from either side

Symptoms:
* Traffic cannot flow between sites after some unspecified time

Fix:
* Toggling relavent IPSec firewall rule logging on/off allows traffic flow to resume until fault manifests again

Observations:
* Sophos XG and OPNSense sides both show VPN link as up during fault


Has anyone got any clues on this one? I'm not sure where to search for in the logs, but I'd be glad to take any suggestions and report back.

Thanks in advance.

[atom]

The IPsec logs are written to /var/log/ipsec. Just have a look at the most recent file ( and post if you have any questions ).

[netcreator]

for me it sounds like that the sa lifetime entries are not correct on both sides. i was running into the same issue in the past and i figured out that my sa lifetimes where not configured correctly. after i changed to a common lifetime-set the connections remaind up.