we migrated last week to Sophos XGS3100. Now i am on the last steps - configure remote access for our users.
I am very surprised that unfortunately no IKEv2 profile can be stored in Sophos Remote Access Feature. I search the topic in these forum and see people will beg for these feature since 3-4 years.
Now i want to ask Sophos: Why aren't they able to implement a standardized protocol within several years?
We pay thousands of euros for an next generation firewall and then we need to use an IKEv1 protocol which are insecure?!
This is not the only reason why I am very amazed. Also SNMP Monitoring is an joke. We can only monitor interface state, but logical things like monitoring an ipsec phase1 and phase2 is not possible? Sorry but other firewall vendors have these features since 10 years.
Thank you for contacting the Sophos Community.
IKEv2 is in the backlog to be addressed on v19.5 under NC-14133
I am still seeing VPN as a dead end for the future. ZTNA will take over in the upcoming years. Maybe it is time to take a look at how to resolve VPN limitations for the future?
Ok. But for the moment i think for the most companys VPNs are mandatory.
It depends on what you actually are willing to offer to the companies. There are approaches right now to give such companies only access to a certain resource with a https approach. (Giving a virtual machine and your own resources to secure the environment).
Personally i do not want to give anybody outside my company any kind of VPN to my company - I do not know, what they have installed, i do not know, if there clients are compromised etc.
"Most companies" - I highly doubt that every company (especially in certain size and security levels) are giving out VPNs. This could be potentially correct for smaller companies because it is technically easy to resolve. Giving out VPN is a technical easy point of view. But the lack of security perspectives are huge. You are actively giving a person a entry card to your building and likely to most facilities. Who is using this card, when there are using it etc. is most likely not controlled.
I am sure you´re right - but can we focus on the questions from this thread (when will ikev2 for xg available)? ;)
It is on the Backlog for a Future Release.
IKEv2 support for IPsec remote access is part of our prioritised backlog but unable to make it in any upcoming release. As mentioned above earlier NC-14133 was planned for v19.5 but due to other priority work we are unable to accommodate it.
We will keep you posted once it's planned for any upcoming release.