BOVPN tunnel excessive rekeys

HeroldEngHeroldEng
in Firebox - VPN Branch Office

Morning folks,

I've set up a BOVPN between a T70 and a M270 (both devices are using the latest firmware) using the following two articles:

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/gateways_config_c.html
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/bovpn/manual/bovpn_availability_c.html

When I first built the BOVPN I used the default values for compatibility as shown in the second link (using IKEv2 however) and the VPN connects fine and works for hours. I do see an error on the diagnostic report that says:

[Conclusion]
BOVPN Gateway(Office1)'s endpoint #1 's local and remote gateway IP addresses do not match the IP addresses in the established Phase 1 Security Association (SA).
Recommendation: Review VPN log messages to identify the reason.

[Gateway Summary]
Gateway "Office1" contains "1" gateway endpoint(s). IKE Version is IKEv2.
Gateway Endpoint #1 (name "Office1") Enabled
PFS: Disabled AlwaysUp: Disabled
DPD: Enabled Keepalive: Disabled
Local ID<->Remote ID: {IP_ADDR(xxx.xx.xxx.182) <-> IP_ADDR(yyy.yy.y.234)}
Local GW_IP<->Remote GW_IP: {xxx.xx.xxx.182 <-> yyy.yy.y.234}
Outgoing Interface: eth1 (ifIndex=5)
ifMark=0x10001
linkStatus=2 (0:unknown, 1:down, 2:up)

IPs redacted for security but they do match

When I switch to the recommended values for performance and security shown in the second link, the BOVPN connects and works for a period of time ranging from 2 minutes to 20 minutes. and then the tunnel is destroyed and rekeyed. The same gateway addresses do not match error appears in the log.

So first off, how do I solve the the mismatched IP error? I have a feeling this may be the cause of stability issues in the recommended settings

And secondly, if it is not a problem with the mismatched IPs: how do I ensure the best performance and security between these two devices when recommended settings appear to be less than stable?

Comments

  • Bruce_BriggsBruce_Briggs

    Nothing obvious to me in the 2nd settings which would cause this.
    Consider opening a support case to get WG help in resolving this.
    And, no idea why the diagnostics would show an IP addr mismatch.

Sign In to comment.