Sophos Firewall: v20.0 GA: Feedback and experiences

Release Post:  Sophos Firewall v20 is Now Available  

The EAP Post:  Sophos Firewall: v20.0 EAP1: Feedback and experiences  

The old V19.5 MR3 Post:  Sophos Firewall: v19.5 MR3: Feedback and experiences  

To make the tracking of issues / feedback easier: Please post a potential Sophos Support Case ID within your initial post, so we can track your feedback/issue. 

Release Notes:  https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_200_rn.html 



Pinning.
[bearbeitet von: LuCar Toni um 3:49 PM (GMT -8) am 5 Feb 2024]
Parents
  • IPsec VPN - Unique preshared keys: nice that there is now at least a solution for IKEv2, but what about IKEv1?

    We have many customers who do not have a static IP at branch offices and devices that do not support IKEv2 - so we still can't sell them an XGS firewall..

    All of this wasn't a problem with Sophos SG/UTM!

  • This approach (using IKEv2 to do this) is as far as i know, the only technically method to do this kind of PSK sharing without loosing an sense of security. 

    What kind of peers are we talking here? If there are UTMs, you could use RED instead, if you want to do a more modern approach (as RED is the same approach like a Route based XFRM approach). 

    UTM had the "probing feature", which was not an feature by strongswan or anything. Instead it was self build and is pretty old. It comes with it downsides and therefore never implemented into SFOS. 

    By the way: You could use certificates instead of Keys, as they bring there own authentication and are unique in this terms. They bring more security in this matter and are, by using selfsigned certs, also pretty quick to implement. 

    __________________________________________________________________________________________________________________

  • If the counterpart is a UTM, we already use certificates.
    The problem is rather the colorful collection of devices like draytek/fritzbox and other devices from german ISPs like digibox/speedport - many of them support IKEv2 but unfortunately not all of them..

  • Thanks for the feedback. Likely not on the near horizon to implemented it for IKEv1, due the lack of implementation method see above. 

    I would always recommend to look into the device, which does not Support IKEv2 and it might be an approach to modernize them anyway. 

    __________________________________________________________________________________________________________________

Reply
  • Thanks for the feedback. Likely not on the near horizon to implemented it for IKEv1, due the lack of implementation method see above. 

    I would always recommend to look into the device, which does not Support IKEv2 and it might be an approach to modernize them anyway. 

    __________________________________________________________________________________________________________________

Children
No Data