Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall

Discussions IPSec MOBIKE IKEv2 extension disabling

Sophos Firewall requires membership for participation - click to join

Thread Info

State Suggested Answer
Locked Locked
Replies 5 replies
Answers 1 answer
Subscribers 40 subscribers
Views 1654 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec MOBIKE IKEv2 extension disabling

Jaroslav Faldik 4 months ago

How can I disable MOBIKE IKEv2 extension support in IPSec?

This thread was automatically locked due to age.

Top Replies

Srisakthi S 4 months ago in reply to Jaroslav Faldik +1 suggested

Hi Jaroslav Faldik MOBIKE support is already disabled in SFOS. Refer /_conf/ipsec/ipsec.conf. This means SFOS doesn't notify MOBIKE support during IKE negotiations. But accepts IKE requests with MOBIKE…

Parents

0 rfcat_vk 4 months ago

Hi,

Which version of XG firmware are you using?

Which IPsec profile is showing the extension?

Ian

XG115W - v20.0.2 MR-2 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Jaroslav Faldik 4 months ago in reply to rfcat_vk

Hi,

I'm using the latest version SFOS 20.0.1 MR-1-Build342.

This extension does not show up in any IPSec profile, but I have reason to suspect that it is enabled by default in StrongSwan, because after connecting a new 5G/LTE modem with this extension enabled, after some time my IPSec connection with about 15 devices broke down and I had a lot of these entries in the log:

"(unnamed) - Couldn't authenticate the remote gateway. Check the authentication settings on both devices. (Remote: xxx.xxx.xxx)",

where "xxx.xxx.xxx" was just the WAN address of the new 5G/LTE modem. I suspect just the MOBIKE IKEv2.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Jaroslav Faldik 4 months ago in reply to rfcat_vk

Hi,

I'm using the latest version SFOS 20.0.1 MR-1-Build342.

This extension does not show up in any IPSec profile, but I have reason to suspect that it is enabled by default in StrongSwan, because after connecting a new 5G/LTE modem with this extension enabled, after some time my IPSec connection with about 15 devices broke down and I had a lot of these entries in the log:

"(unnamed) - Couldn't authenticate the remote gateway. Check the authentication settings on both devices. (Remote: xxx.xxx.xxx)",

where "xxx.xxx.xxx" was just the WAN address of the new 5G/LTE modem. I suspect just the MOBIKE IKEv2.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Mayur Makvana 4 months ago in reply to Jaroslav Faldik

Hello,

Please refer to the below KBA and it may help fix.

Sophos Firewall: Troubleshooting site to site IPsec VPN issues

https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SiteToSiteVPN/Troubleshooting/S2sVPNIPsecTroubleshootCommonErrors/index.html

Mayur Makvana
Technical Account Manager | Global Customer Experience
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 Srisakthi S 4 months ago in reply to Jaroslav Faldik

Hi Jaroslav Faldik

MOBIKE support is already disabled in SFOS. Refer /_conf/ipsec/ipsec.conf. This means SFOS doesn't notify MOBIKE support during IKE negotiations. But accepts IKE requests with MOBIKE capability from other side.
Cancel
Vote Up +1 Vote Down

Cancel
0 Jaroslav Faldik 4 months ago in reply to Srisakthi S

Hi

Thank you for your reply. Is there any way to disable the IKE query response with MOBIKE so that it doesn't affect the behavior of strongSwan in Sophos?
Cancel
Vote Up 0 Vote Down

Cancel