Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 10 subscribers
  • Views 43827 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When (if ever) will UTM support IKEv2?

Tjalling Soldaat

Hi all,

We use Sophos UTM V9 for a lot of things and have always been very pleased with the quality and supported features.

In the past, we also used Sophos UTM for a site to site IPSEC-VPN tunnel to a virtual network on Microsoft Azure. Not anymore though. We had to resort to another solution and vendor to get a "route based" tunnel working, which requires IKEv2. Sophos UTM still only supports IKEv1.

There are 2 feature requests related to this on the Sophos Ideas site:

The first one has been "under review" since 2009, without any updates after that. Getting support for IKEv2 in Sophos UTM does not seem to be very high on the agenda of Sophos, even though it looks like a much needed feature if you consider the amount of votes the subject has received.

I read in the news post from the 14th of September that IKEv2 support has been added to IPSEC VPN for the new XG Firewall V17, so there is at least some progress it seems.

Does anybody know if IKEv2 is also on the roadmap for Sophos UTM?



This thread was automatically locked due to age.
Parents
  • 0

    Here's a roadmap i got from a webinar earlier this year. There should be some kind of VPN changes for version 9.6 (which i have heard got delayed to next year)... I don't know if it means IKEv2 is implemented, but i sure hope so.. And Openvpn 2.4.X would be a nice welcome as well

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • 0 in reply to KennethHolmqvist

    Do not print this roadmap ...  Just to save paper :)

    Seriously, this roadmap have become unrealistic.

    Missing here are NTP server for XG.  And a REAL DHCP server for XG.  You cannot pretend to be a UTM without it.

    As far as all products are concern, also missing is support for TLS 1.3.

    Paul Jr

  • 0 in reply to Big_Buck

    UTM and XG are all-in-one products.   As a buyer, you should expect that if a product tries to do everything, it will not be able to do all-of-it extremely well, but you hope that it will be able to do most of the things good enough, and that you will have enough money left over to work around the weak spots.   

    Our recent problems with regression bugs in UTM (and I think XG) should be a reminder that as a product gets more complex, it gets progressively more difficult to debug.  Asking for more features may be self-defeating.

    UTM's greatest value to my organization has been its web filter, WAF, and OTP capabilities, not its ability to be a replacement for a Cisco ASA.   If you need IKEv2 now, spend a little bit of money to put a firewall in front of your UTM.    Doing so will actually simplify your UTM configuration.

    Considering how long it has been since IKEv2 was standardized and requested by Astaro users, and considering the obvious Sophos marketing direction from UTM to XG for new sales, I would not recommend creating a corporate security plan based on having IKEv2 in UTM soon.   Maybe it will happen, maybe not.   Maybe the first release will meet your performance and reliability expectations, maybe not.   

    Don't let your security needs be held captive to Sophos' development priorities.   At the same time, don't assume that you need to find an all-in-one solution from somebody else to replace the all-in-one solution from Sophos that left you disappointed.   To do it all extremely well, you probably need multiple products from multiple vendors.

Reply
  • 0 in reply to Big_Buck

    UTM and XG are all-in-one products.   As a buyer, you should expect that if a product tries to do everything, it will not be able to do all-of-it extremely well, but you hope that it will be able to do most of the things good enough, and that you will have enough money left over to work around the weak spots.   

    Our recent problems with regression bugs in UTM (and I think XG) should be a reminder that as a product gets more complex, it gets progressively more difficult to debug.  Asking for more features may be self-defeating.

    UTM's greatest value to my organization has been its web filter, WAF, and OTP capabilities, not its ability to be a replacement for a Cisco ASA.   If you need IKEv2 now, spend a little bit of money to put a firewall in front of your UTM.    Doing so will actually simplify your UTM configuration.

    Considering how long it has been since IKEv2 was standardized and requested by Astaro users, and considering the obvious Sophos marketing direction from UTM to XG for new sales, I would not recommend creating a corporate security plan based on having IKEv2 in UTM soon.   Maybe it will happen, maybe not.   Maybe the first release will meet your performance and reliability expectations, maybe not.   

    Don't let your security needs be held captive to Sophos' development priorities.   At the same time, don't assume that you need to find an all-in-one solution from somebody else to replace the all-in-one solution from Sophos that left you disappointed.   To do it all extremely well, you probably need multiple products from multiple vendors.

Children
No Data
Unfiltered HTML