Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall: v20.0 GA: Feedback and experiences

Release Post:  Sophos Firewall v20 is Now Available  

The EAP Post:  Sophos Firewall: v20.0 EAP1: Feedback and experiences  

The old V19.5 MR3 Post:  Sophos Firewall: v19.5 MR3: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 



This thread was automatically locked due to age.
Parents
  • IPsec VPN - Unique preshared keys: nice that there is now at least a solution for IKEv2, but what about IKEv1?

    We have many customers who do not have a static IP at branch offices and devices that do not support IKEv2 - so we still can't sell them an XGS firewall..

    All of this wasn't a problem with Sophos SG/UTM!

Reply
  • IPsec VPN - Unique preshared keys: nice that there is now at least a solution for IKEv2, but what about IKEv1?

    We have many customers who do not have a static IP at branch offices and devices that do not support IKEv2 - so we still can't sell them an XGS firewall..

    All of this wasn't a problem with Sophos SG/UTM!

Children
  • This approach (using IKEv2 to do this) is as far as i know, the only technically method to do this kind of PSK sharing without loosing an sense of security. 

    What kind of peers are we talking here? If there are UTMs, you could use RED instead, if you want to do a more modern approach (as RED is the same approach like a Route based XFRM approach). 

    UTM had the "probing feature", which was not an feature by strongswan or anything. Instead it was self build and is pretty old. It comes with it downsides and therefore never implemented into SFOS. 

    By the way: You could use certificates instead of Keys, as they bring there own authentication and are unique in this terms. They bring more security in this matter and are, by using selfsigned certs, also pretty quick to implement. 

    __________________________________________________________________________________________________________________

  • If the counterpart is a UTM, we already use certificates.
    The problem is rather the colorful collection of devices like draytek/fritzbox and other devices from german ISPs like digibox/speedport - many of them support IKEv2 but unfortunately not all of them..

  • Thanks for the feedback. Likely not on the near horizon to implemented it for IKEv1, due the lack of implementation method see above. 

    I would always recommend to look into the device, which does not Support IKEv2 and it might be an approach to modernize them anyway. 

    __________________________________________________________________________________________________________________