This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When (if ever) will UTM support IKEv2?

Hi all,

We use Sophos UTM V9 for a lot of things and have always been very pleased with the quality and supported features.

In the past, we also used Sophos UTM for a site to site IPSEC-VPN tunnel to a virtual network on Microsoft Azure. Not anymore though. We had to resort to another solution and vendor to get a "route based" tunnel working, which requires IKEv2. Sophos UTM still only supports IKEv1.

There are 2 feature requests related to this on the Sophos Ideas site:

The first one has been "under review" since 2009, without any updates after that. Getting support for IKEv2 in Sophos UTM does not seem to be very high on the agenda of Sophos, even though it looks like a much needed feature if you consider the amount of votes the subject has received.

I read in the news post from the 14th of September that IKEv2 support has been added to IPSEC VPN for the new XG Firewall V17, so there is at least some progress it seems.

Does anybody know if IKEv2 is also on the roadmap for Sophos UTM?



This thread was automatically locked due to age.
Parents
  • Here's a roadmap i got from a webinar earlier this year. There should be some kind of VPN changes for version 9.6 (which i have heard got delayed to next year)... I don't know if it means IKEv2 is implemented, but i sure hope so.. And Openvpn 2.4.X would be a nice welcome as well

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

Reply
  • Here's a roadmap i got from a webinar earlier this year. There should be some kind of VPN changes for version 9.6 (which i have heard got delayed to next year)... I don't know if it means IKEv2 is implemented, but i sure hope so.. And Openvpn 2.4.X would be a nice welcome as well

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

Children
  • Thanks for the image of the roadmap.

    IKEv2 is mentioned specifically for SFOS V17, in addition to VPN improvements later on. But yeah, let's hope that IKEv2 is included in those VPN improvements.

    I really don't want to, but a delay until next year with no certainties of IKEv2 being included is already making me consider other vendors..

  • IKEv2 is now supported on the Sophos XG firewall (not the UTM yet). Have you considered transitioning to the XG firewall?

  • what good is having IKEv2 on XG if nobody/not many want to switch over from UTM?

    If you are asking if the switch to XG was considered i'd reply that the switch to another vendor is beeing considered.

    Full price subscription on UTM means full expectations, unmet expectations means that we are paying too much (right now).

    ---

    Sophos UTM 9.3 Certified Engineer

  • Do not print this roadmap ...  Just to save paper :)

    Seriously, this roadmap have become unrealistic.

    Missing here are NTP server for XG.  And a REAL DHCP server for XG.  You cannot pretend to be a UTM without it.

    As far as all products are concern, also missing is support for TLS 1.3.

    Paul Jr

  • David, it seems that to run XG, it requires YOUR level of knowledge.  Which sorts out the majority of IT population.  Learning curve is very long - months, if not years - and in the end so much is missing. 

    Logs are inaccurate and mostly useless.  It is absolutely required to use CLI for that.

    No NTP Time server.

    No Real DHCP.  If at least we could push WEB NTP servers addresses and other info to desktops.  XG DHCP is ultra basic and pushes only IP addresses to desktops.

    IPv6 implementation is too time consuming.  We have to duplicate everything.  IPv4 and IPv6 on XG is exactly like maintaining TWO firewalls.  Two sets of firewall rules, two sets of everything.  Unworkable.

    TLS 1.3 is not on any roadmap.  TLS 1.2 has existed for more than a decade, but implemented only recently on selected Sophos products, and its implementation requires voodoo skills.

    At the pace development goes, XG will catch up with competitors in around two years.

    There is no rush to get into XGs troubles.  Particularly if one owns a stable UTM ...  Why IKEv2 was not implemented on UTM 10 years ago is unanswerable . 

    By the way I really do appreciate your Youtube videos ... Very interesting.

    Paul JR

  • I was told during my architect training, that they are rewriting the core for XG v.18.... So hopefully that fixes some of the annoyances we're facing at the moment... I have started to look around after another vendor.. our UTM license expires next summer.

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • Hello

    I wish I had a better understanding what "the core" really is ... I understand that XG is a collection of open source software, like Strongswan, and that XG is rather a softwares interface to those modules, a reporting service to those modules and a GUI to admin and users ...

    To me, "the core" is mostly open source software to which Sophos contributes.  Just theorizing.

    Paul Jr

  • I think you have it right, Paul.

    My impression is that the underlying software is mostly the same in both UTM and XG.  I suspect that the Web Filtering engine in the XG is not the one that Astaro created (in V7, I think it was).  XG has a newer version of StrongSWAN and we can only hope that UTM 9.6 brings Charon as a replacement for pluto - probably bringing along IKEv2.

    WebAdmin in both the UTM and XG are just GUIs that manipulate databases of objects and settings related to the underlying programs.  In the UTM, the configuration daemon (confd) writes the actual code that does things.  I don't know whether the XG uses confd.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • UTM and XG are all-in-one products.   As a buyer, you should expect that if a product tries to do everything, it will not be able to do all-of-it extremely well, but you hope that it will be able to do most of the things good enough, and that you will have enough money left over to work around the weak spots.   

    Our recent problems with regression bugs in UTM (and I think XG) should be a reminder that as a product gets more complex, it gets progressively more difficult to debug.  Asking for more features may be self-defeating.

    UTM's greatest value to my organization has been its web filter, WAF, and OTP capabilities, not its ability to be a replacement for a Cisco ASA.   If you need IKEv2 now, spend a little bit of money to put a firewall in front of your UTM.    Doing so will actually simplify your UTM configuration.

    Considering how long it has been since IKEv2 was standardized and requested by Astaro users, and considering the obvious Sophos marketing direction from UTM to XG for new sales, I would not recommend creating a corporate security plan based on having IKEv2 in UTM soon.   Maybe it will happen, maybe not.   Maybe the first release will meet your performance and reliability expectations, maybe not.   

    Don't let your security needs be held captive to Sophos' development priorities.   At the same time, don't assume that you need to find an all-in-one solution from somebody else to replace the all-in-one solution from Sophos that left you disappointed.   To do it all extremely well, you probably need multiple products from multiple vendors.