About connecting our on-premises environment using an IPSec Site-to-Site (s2s) connection between our on premises Sophos (SFOS 19.x) and Oracle Cloud Infrastructure (OCI) using IKEv2.
As always, when I connect 2 foreign device vendors, testing different parameters and algorithms for the connection (...but they nearly all use strongswan...). After some time, the connection was established for phase 1 and phase 2 (note, that the IPSec identifiers are the corresponding IP addresses, if 'IP Address' is selected in OCI).
Sadly, after the initial connection was established, the connection always dropped when the IPSEC Phase2 rekey timeout was reached.
Took some time to find correct phase 2 parameters, so I wanted to share the final parameters which came out to work stable:
| Phase | Parameter | OCI | Sophos |
| Dead Peer Detection | Respond only | Turned off | |
| 1 | Custom Encryption Algorithm | AES_256_CBC | AES256 |
| Custom Authentication Algorithm | SHA2_384 | SHA2 384 | |
| Custom Diffie-Hellman Group | GROUP20 | 20 (ecp384) | |
| IKE session key lifetime in seconds | 28800 | 28800 | |
| 2 | Custom Encryption Algorithm | AES_256_GCM | AES256GCM16 |
| Custom Authentication Algorithm | None | None | |
| IKE session key lifetime in seconds | 3600 | 3600 | |
| Perfect Forwarding Security | Enabled GROUP5 | GROUP5 |
Another great reference can be found here.