Sophos & OCI IPSec site2site parameters

About connecting our on-premises environment using an IPSec Site-to-Site (s2s) connection between our on premises Sophos (SFOS 19.x) and Oracle Cloud Infrastructure (OCI) using IKEv2.

As always, when I connect 2 foreign device vendors, testing different parameters and algorithms for the connection (...but they nearly all use strongswan...). After some time, the connection was established for phase 1 and phase 2 (note, that the IPSec identifiers are the corresponding IP addresses, if 'IP Address' is selected in OCI).

Sadly, after the initial connection was established, the connection always dropped when the IPSEC Phase2 rekey timeout was reached.

Took some time to find correct phase 2 parameters, so I wanted to share the final parameters which came out to work stable:

Phase Parameter OCI Sophos
Dead Peer Detection Respond only Turned off
1 Custom Encryption Algorithm AES_256_CBC AES256
Custom Authentication Algorithm SHA2_384 SHA2 384
Custom Diffie-Hellman Group GROUP20 20 (ecp384)
IKE session key lifetime in seconds 28800 28800
2 Custom Encryption Algorithm AES_256_GCM AES256GCM16
Custom Authentication Algorithm None None
IKE session key lifetime in seconds 3600 3600
Perfect Forwarding Security Enabled GROUP5 GROUP5

Another great reference can be found here.