Version 19.0.0GA Breaking IPSEC VPN's

Hello Jeremy,

Thank you for contacting the Sophos Community.

Just to confirm you’re the same user from Reddit that mentioned about Case ID 05337528?

Regards,

Yes

Hello Jeremy,

Thank for the confirmation. 

As the engineer mentioned in their last email, try disabling the IPsec acceleration from the console (5>4)of the Sophos Firewall.

console> system ipsec-acceleration show

console> system ipsec-acceleration disable

Let us know by updating the ticket or this thread if this "fixed" the issue (if you are willing to move back to v19).

For anyone following: The disable the IPsec acceleration should be only considered a work around, and a ticket should be open with Support to troubleshoot.
Regards,

We will try and test on a spare machine.  But this seems like a "bandaid" if it does work.  What is the fix moving forwared?  Is this going to be addressed in the next release?

Hello Jeremy,

Sorry I forgot to type it in here, but yes this isn’t a solution only a workaround.

Regards,

Hello Jeremy,

Sorry I forgot to type it in here, but yes this isn’t a solution only a workaround.

Regards,

Ok So we have some more information.   Both of the Box's that we updated to version 19 that had VPN issues were XGS's (116 and 126).  We had also updated some XG's but those clients did not utilize VPN.  We set up a VPN config on the XG's that were on Version 19 but did not have VPN configs already.  Ran Speed tests and the speed was just fine (no work around).     We had one other XGS that we had also Updated to 19 but also did not have any VPN configs on, so we never rolled it back.  We tested on this box by setting up a IPSEC VPN config and connecting, the Connection was VERY SLOW.  So we applied the "band aid fix" and speeds returned to normal!  

So as far as I can tell this issue ONLY effects XGS's  NOT XG     Hope this helps but would like clarification before continuing to roll out even on the XG's that we had not yet updated.

Thanks

Im just a general punter, this seems to confirm what you have stated.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/VPN/IPsecPolicies/index.html#encryption-authentication-shared-secret-and-key-life

"Currently, hardware acceleration for IPsec VPN is only available on some XG Series devices. It accelerates and compresses cryptographic workloads and is available for IPsec VPN connections on XG 125 Rev.3, XG 135 Rev.3, and XG 750 appliance models.

It's turned on by default. To turn it off, go to the command-line console."

Sophos, why on earth would you enable a setting by default which only works on a few old devices!

That is not correct. 

XG125,135,750 have a special chip to do Hardware Acceleration. But XGS has the NPU, which is a own processor unit. In the end it does not matter how you activate the option. But people here report issues on XGS hardware as well. This means, the problem exists even on hardware which has a NPU. 

The Online Help is from V18.5. V19.0 included the new encryption support of the NPU. 

Hi Emmanuel,

we are facing the same issue, and need to know when it will be fixed?

Do you have already a Bug-ID for this problem or at least further information about?

Thank you!

Markus