topic Re: VPN IPSec Tunnel with Sophos IKEv2 Issue in General Topics

VPN IPSec Tunnel with Sophos IKEv2 Issue

Mlinko — Mon, 15 Sep 2025 09:09:20 GMT

Dear all,

we have an IPSec Tunnel with a customer that has Sophos GW. If we use Ikev1 the tunnel work without a problem, but if we change to IKEv2 then it doesn't work.

Error on our side:

invalid Syntax

Error on the other side:

invalid SPI

I'd be glad if someone can share their experience with the so called "free Firewall software". No mater which "Software" based Firewall it is, we always have problems with it.

Thank you and kind regards!
Rok

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

Danny — Mon, 15 Sep 2025 10:10:07 GMT

IKEv2 between VPN gateways of different vendors has been an issue for many years.
I've created a VPN compatibility matrix for Check Point to document our community experience of IKEv2 with other vendors.

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Mon, 15 Sep 2025 10:19:45 GMT

I actually had this issue with large hospital using CP to PAN and it turned out they were using wrong peer ID, since for a long time they used IP from general properties of the CP smart console object, but one day when we did debug and worked with TAC, Tier 3 guy told us that it changed, so they had to use link selection setting.

Just something to verify.

Andy

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Mon, 15 Sep 2025 10:20:52 GMT

Nice one @Danny . Btw, does that still apply?

Andy

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Tue, 16 Sep 2025 15:10:22 GMT

Hey @Mlinko

Any luck with this?

Andy

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

Mlinko — Mon, 29 Sep 2025 05:18:05 GMT

Dear Andy and Danny,

Thank you for your help, I'll let you know how it turned out after a debugging session with a client.

KR
Rok

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

Mlinko — Mon, 29 Sep 2025 05:47:44 GMT

The NIS2 directive will hit us any time now, that is why we want to "prepare" and reconfigure the VPN Tunnels with our clients to IKEv2.

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Mon, 29 Sep 2025 09:18:17 GMT

Sounds good!

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Mon, 29 Sep 2025 09:21:05 GMT

I would say its more less the norm these days to use ikev2.

Andy

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Wed, 01 Oct 2025 13:31:51 GMT

Hey mate,

Any luck yet with this?

Andy

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

Mlinko — Mon, 13 Oct 2025 07:58:48 GMT

No luck at all, the only thing that we need to test ist - One vpn tunnel per GW Pair. Then it's debuging time, but the last time we didn't see anything - actually only that the Encryption Domain is not correct... I don't know what kind of settings are possible on the other side...

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Mon, 13 Oct 2025 08:05:02 GMT

What are the settings currently?

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

Mlinko — Tue, 14 Oct 2025 12:18:04 GMT

IKE 1
1440 min

IKE 2

3600s

VPN Tunnel Sharing:
One VPN Tunnel per subnet pair

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Tue, 14 Oct 2025 12:28:40 GMT

I would debug both sides and see what gives.

Andy

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Wed, 15 Oct 2025 04:02:57 GMT

Btw, any relevant logs from Sophis side?

Best,

Andy

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

Mlinko — Wed, 15 Oct 2025 04:54:43 GMT

No, that is the problem! I didn't see any logs from the Sophos side... I don't know how your experience is with the customers/partners but they are usually not willing to give their logs or configurations...

Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

the_rock — Wed, 15 Oct 2025 07:21:02 GMT

Personally, I never have that issue. Any customer I work with is more than willing to send anything needed for troubleshooting. Anyway, that aside, lets see what we can do to try solve this for you.

If there is nothing we can rely on from Sophos side as far as logs, I saw in your description that error showed invalid SPI, which is always 100%, phase 2 issue. Can you double check phase 2 settings? Ensure vpn domains are fine as well.

Best,

Andy