Thread Info
  • State Not Answered
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 9678 views
  • Users 0 members are here
Options
Suggested

IKEv2 for Remote Access

Andreas Körber

Hi,

 

we would like to use IKEv2 for remote access. Unfortunately I can't choose IKEv2 policy if remote access was chosen before. 

Since IKEv2 has native support in Windows, macOS and iOS it should be available for remote access in SFOS as well. 

 

Is this correct or a bug? 

  • 0

    Hi Andreas, we currently support IKEv2 for site-to-site connections only, so this is not a bug.

  • 0 in reply to HeikoHund

    Thanks. Where can I post a feature request? IKEv2 for remote access shouldn't be a big deal and is something we would appreciate. 

  • 0 in reply to Andreas Körber

    Hi Andreas, 

    This is already in our plans, but it is actually a pretty big deal to add. There are some non-obvious costs to this. Since XAUTH isn't supported, the options to authenticate users is more restrictive. For example, windows native vpn client , offers a very limited choice of authentication options, and makes for a very rigid set of requirements.  That either puts too much work on the admin to setup everything just right, or a large amount of work on us, to simplify it. We're working on it, but I can't give you a timeline yet. 

  • 0 in reply to AlanT

    I think that IKEv2 Remote Access was one of the most expected features in SFOS 17.

    Mostly because of Apple iOS limitations, where in supervised mode, only IKEv2 VPN can be configured as Always-On which is important if you want to restrict access from enterprise mobile devices. Certainly, you can use Cisco VPN mode to easy setup iOS remote access, but this mode can be always disabled by user and then bypass access restrictions on mobile device.

    For now it seems that neither UTM9, nor XG, even with SFOS 17 is capable to handle IKEv2 Remote Access...

    Re "That either puts too much work on the admin to setup everything just right or a large amount of work on us, to simplify it." :) While everyone appreciate easy to setup things, I think it is better to implement something which is missing (in this case IKEv2 Remote Access) and let admins configure it properly at their end, rather than not having the feature at all and trying to simplify admins work by anticipating all possible options, configurations ans scenarios.

    This is an enterprise level product, not a home router, so we can expect some level of technical knowledge from the admins, isn't it? :)

  • 0 in reply to AdamMickiewicz

    Hey Adam, 

    AdamMickiewicz said:
    I think that IKEv2 Remote Access was one of the most expected features in SFOS 17.

    By a very wide margin, the demand for IKEv2 was driven by site-to-site tunnel usage, rather than remote access.   

    AdamMickiewicz said:
    This is an enterprise level product, not a home router, so we can expect some level of technical knowledge from the admins, isn't it? :)

    With every feature we add, we have to ask what it means to make security usable. There are costs to just making a feature possible, and a different set of costs to making it generally usable. Either we pay that cost up front in engineering, or we pay it a thousand times over after release, in support. I can't knowingly design and release a feature that I know will make our support worse. Unfortunately, we've done it before in ignorance, and our customers depending on our support, have suffered. 

Unfiltered HTML