Hi XG Community!
We've finished SFOS v17.0.5 MR5. This release is available from within your device for all SFOS v17.0 installations as of now.
Besides that, the release is available to all SFOS version via MySophos portal.
Note: There are a few edge cases where some customers may still experience issues using multiple subnets with a single IPSec connection. The team is working on those and all the last known issues should be addressed in MR6 which is expected to follow very soon. Please follow this Sophos XG Firewall: Cannot handle more than 2 concurrent Quick Mode exchanges per IKE_SA when using IKEv1
You can find the firmware for your appliance from in MySophos portal.
Many fixes, bravo team. Thanks for the hard work!
1) I'm wondering if there are any acknowledged issues with Ikev1 and strongswan at this point as of v17.0? And whether there are planned fixes? Me and several others are completely dead in the water, forum posts abundant. Had to downgrade to the latest v16 to resolve it.
2) How do we find out more details about NC- issues? For example, I want to know if perhaps this issue effects me or not, and just if there are more details we can see about known issues? NC-26634 [IPsec] Add validation message for PSK connections with remote '*'
Edit: Somehow I missed this, or it was added after I read the article, but maybe you were speaking to my issue when you added this note above:
Note: There are a few edge cases where some customers may still experience issues using multiple subnets with a single IPSec connection. The team is working on those and all the last known issues should be addressed in MR6 which is expected to follow very soon.
When will this be supported by SFM?
Looking forward to IPSEC improvements :-)
NC-26338 [IPsec] VPN failover timeout takes too long
NC-26988 [IPsec] VPN connection can't be established if the PSK is very long
NC-27030 [IPsec] System unresponsive after enabling non-establishing IPsec connections
Haven't fixed anything here. VPN still freeze every so often. Absolutely weird, I log from home into our office's desktops with TeamViewer. Once the VPN freezes - which is never too long before it happens - nothing internally can ping externally (or do whatever else). And yet, I'm at home on a Teamviewer session in my Office network. Hilarius !!! We feel secured :)
Port forwarding is still minimalistic (let's call it absent) and cannot allow transparent proxy. Even if the WEB gateway is Sophos' own.
Mail Gateway still requires Einstein, and an awfull amount of luck to make it run. It it ever will.
Not sure why, but the WEB gateway allowed Google Chrome to update this pm. A first since a loooooong time.
As the note mentioned, there are more planned fixes to be included in the MR6 release. The team is actively working on this to address the rest of the known issues.
Please contact support for more information and details regarding specific bug IDs.
Also here XG210 upgraded to 17.0.5 and VPN IPSec site-to-site still keeps disconnected.
The disconnections happens every time when transfering data between offices.
Data speed is 5MB/s
Have tried different type of ipsec profiles
Since SFOS 17 its with every build I try disconnections of VPN all the time when I transfer data.
My first tests are very encouraging, vpn goes up after a pppoe disconnection or unexpected disconnection of peer that i simulate.
But there is one thing that is still not solved : my wan interfaces are vlans connected to a switch, so its never physically goes down. in this case, VPN are never saw as disconneted, so it never goes up...
...has this issue been resolved in this MR? community.sophos.com/.../363699
In reply to SGH's comment,
Do you have any VPN's without multiple subnets that are also not stable? apalm123 reported a few edge cases where customers may still experience issues using multiple subnets with a single IPSec connection.
It would be helpful to confirm if you are having this issue with single or multiple local and remote subnets configured.
Hmm...all went well until this evening, have 4 IPSEC VPNS all are showing up and down, also my SFM sends notifications about it :-(
Yeah, VPN's are horribly broken.
I'm still on v16 MR-8 because we are using ikev1 IPSEC VPN with multiple NATed subnets. Too many VPN bugs in v17.0.
Thanks for the update, applied a about a day ago to my PC and appears working.