Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 3 subscribers
  • Views 16753 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cipher Suite with VPN SSL

testerq12431231
Hi,

Quick question does the Sophos UTM 9.2 support the block cipher AES-GCM when using the VPN SSL Client.  It is a compliance issue that the client negotiates using AES-GCM using TLS 1.2

If not, do we know if it is likely to be in a future release.  

The admin console supports AES128GCM, but I cannot get the clients to use this using SSL VPN.

Thanks.


This thread was automatically locked due to age.
  • 0
    No, AES-GCM is not supported at this time.  To see the supported algorithms, go to Remote Access > SSL > Advanced.  Be aware that if you change this setting, you will need to install a new config file for any clients that have already been deployed. 

    Encryption Algorithm: The encryption algorithm specifies the algorithm used for encrypting the data sent through the VPN tunnel. The following algorithms are supported, which are all in Cipher Block Chaining (CBC) mode:
    DES-EDE3-CBC
    AES-128-CBC (128 bit)
    AES-192-CBC (192 bit)
    AES-256-CBC (256 bit)
    BF-CBC (Blowfish (128 bit)) 

    Authentication Algorithm: The authentication algorithm specifies the algorithm used for checking the integrity of the data sent through the VPN tunnel. Supported algorithms are:
    MD5 (128 bit)
    SHA-1 (160 bit)
    SHA2 256 (256 bit)
    SHA2 384 (384 bit)
    SHA2 512 (512 bit)


    If not, do we know if it is likely to be in a future release. 
      This is a user to user forum, so nobody here is going to know.  You can create a feature request, that Sophos will see, at UTM (Formerly ASG) Feature Requests: Hot (1877 ideas)
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen
    Thanks for the feedback.  As this is an imminent requirement I will have to look at the other options that IPSEC offers, although not free.

    Thanks
  • 0
    Hi, Tom, and welcome to the User BB!

    I haven't tried it in years, but I know some here have used the Shrew IPsec client successfully.

    Let us know your solution.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Bringing an old thread back to life here, but does anyone know if the supported cipher suite has changed in 9.3 for ssl vpn connections? Have no reason yet to goto 9.3 unless the cipher suite has changed for ssl vpn.

    Thanks Craig
  • 0 in reply to BAlfson
    Hi, Tom, and welcome to the User BB!

    I haven't tried it in years, but I know some here have used the Shrew IPsec client successfully.

    Let us know your solution.

    Cheers - Bob


    Cool thanks Bob I'll give Shrew a go for IPSEC VPN.

    Cheers Craig
  • 0
    supported cipher suite has changed in 9.3 for ssl vpn connections
    Same choices as 9.2.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0 in reply to Scott_Klassen

    Hello did someone know why AES-<128-256>-GCM is not supported???

    is it not save or what are the reasons??? hmmmm ;/

     

    regards

  • 0 in reply to HamburgerJung

    Naja, mein Freund aus Hamburg...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello my friend ;-)

    Thank you, I need it for OpenVPN Site2Site for testing

    I use a VPN provider (Converted the provided *.ovpn) to UTM compatible.

    Works all fine with MASQ over tun(commandline) and Policy based Routing for specified Sites.

    But would get more performance , and because of that i would test GCM ;-)

    Set it to GCM over Restapi is not possible and if set in the config-default in chroot-openvpn/etc/openvpn/client/  it cant connect because of OpenSSL errors.

    Regards

  • 0 in reply to HamburgerJung

    Ah, I didn't read closely enough - SSL VPN, not IPsec!

    I thought that Sophos modified the current code a couple years ago for the SSL VPN so that it would take advantage of AES-NI, but I just did a search in the and don't see that it was.  I think you can't change the setting because it's an issue of the code for that has not been added.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML