Re: VPN IPSec Tunnel with Sophos IKEv2 Issue

Mlinko · ‎2025-09-15

Dear all,

we have an IPSec Tunnel with a customer that has Sophos GW. If we use Ikev1 the tunnel work without a problem, but if we change to IKEv2 then it doesn't work.

Error on our side:

invalid Syntax

Error on the other side:

invalid SPI

I'd be glad if someone can share their experience with the so called "free Firewall software". No mater which "Software" based Firewall it is, we always have problems with it.

Thank you and kind regards!
Rok

Danny · ‎2025-09-15

IKEv2 between VPN gateways of different vendors has been an issue for many years.
I've created a VPN compatibility matrix for Check Point to document our community experience of IKEv2 with other vendors.

the_rock · ‎2025-09-15

Nice one @Danny . Btw, does that still apply?

Andy

Best,
Andy

the_rock · ‎2025-09-15

I actually had this issue with large hospital using CP to PAN and it turned out they were using wrong peer ID, since for a long time they used IP from general properties of the CP smart console object, but one day when we did debug and worked with TAC, Tier 3 guy told us that it changed, so they had to use link selection setting.

Just something to verify.

Andy

Best,
Andy

the_rock

Hey @Mlinko

Any luck with this?

Andy

Best,
Andy

Mlinko

Dear Andy and Danny,

Thank you for your help, I'll let you know how it turned out after a debugging session with a client.

KR
Rok

Mlinko

The NIS2 directive will hit us any time now, that is why we want to "prepare" and reconfigure the VPN Tunnels with our clients to IKEv2.

the_rock

I would say its more less the norm these days to use ikev2.

Andy

Best,
Andy

the_rock

Hey mate,

Any luck yet with this?

Andy

Best,
Andy

Mlinko

No luck at all, the only thing that we need to test ist - One vpn tunnel per GW Pair. Then it's debuging time, but the last time we didn't see anything - actually only that the Encryption Domain is not correct... I don't know what kind of settings are possible on the other side...

the_rock

What are the settings currently?

Best,
Andy

Mlinko

IKE 1
1440 min

IKE 2

3600s

VPN Tunnel Sharing:
One VPN Tunnel per subnet pair

the_rock

I would debug both sides and see what gives.

Andy

Best,
Andy

the_rock

Btw, any relevant logs from Sophis side?

Best,

Andy

Best,
Andy

Mlinko

No, that is the problem! I didn't see any logs from the Sophos side... I don't know how your experience is with the customers/partners but they are usually not willing to give their logs or configurations...

the_rock

Personally, I never have that issue. Any customer I work with is more than willing to send anything needed for troubleshooting. Anyway, that aside, lets see what we can do to try solve this for you.

If there is nothing we can rely on from Sophos side as far as logs, I saw in your description that error showed invalid SPI, which is always 100%, phase 2 issue. Can you double check phase 2 settings? Ensure vpn domains are fine as well.

Best,

Andy

Best,
Andy

the_rock

Sounds good!

Best,
Andy

Are you a member of CheckMates?

VPN IPSec Tunnel with Sophos IKEv2 Issue