This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Encryption Algorithm not using specified setting

We've been working on improving the Sophos SSL VPN performance for a client (seemingly getting half the throughput of their previous SonicWall appliance).
We eventually narrowed down that our SSL VPN settings for encryption don't seem to be applied correctly.

Specially - We want to use AES-128-GCM for our client SSL VPN.

We can change on the appliance GUI and then see that this is referenced in the config file that the users need to import into either Sophos Connect or OpenVPN.

The config file shows a line as follows:
cipher AES-128-GCM

However, the connection log files for the connection show that this is not being used and that the client still uses AES-256-GM instead of the expected AES-128-GCM.

This appears to be due to a "push" from the firewall that uses the incorrect settings for some reason :(

Below is an extract from the OpenVPN log.

2023-03-16 08:19:11 PUSH: Received control message: '<removed for privacy>,cipher AES-256-GCM'
2023-03-16 08:19:11 Data Channel: using negotiated cipher 'AES-256-GCM'
2023-03-16 08:19:11 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
2023-03-16 08:19:11 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key

We've on the latest Sophos XGS firmware and using either Sophos Connect or the latest OpenVPN client does't make any difference.

We can only presume that this is a bug as it is easily to replicate on any device?

As a work around we've manually added a line into the config (Line is: data-ciphers AES-128-GCM) to override that ciphers that are available to the client.
This seems to then allow us to get the encryption type (and subsequent performance) that we want.

Is this a known problem/bug?
And if so... how we do get this fixed.



This thread was automatically locked due to age.