IPSec v16 to v17 update does not set SHA2 truncation on custom policy. This will mostly affect tunnels between v16 and v17.
Applies to the following Sophos products and versions Sophos Firewall XG Software v17.0.5 MR5
The customers migrating from v16 to v17 with IPsec tunnels configured with the Encryption AES256 and Authentication SHA2 256 on custom policy in Phase-1 and Phase-2 will be affected.
The IPsec SA will show up and connected .
However when the customer will try to reach the remote network, there will be no response.
The un-encrypted packets are arriving at XG and are encrypted correctly. But the other end does not understand the packets. Hence there is no response from the remote end .
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.14.22-Aum, x86_64): uptime: 68 minutes, since Nov 20 18:02:23 2017
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.14.22-Aum, x86_64):
uptime: 68 minutes, since Nov 20 18:02:23 2017
The workaround is to enable the SHA2 with 96-bit truncation on v17 policy.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.