This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM - OpenVPN Client - AES-GCM

So far, SSL VPN under the UTM has worked without any problems with the OpenVPN client.
In the meantime, OpenVPN 2.6RC1 has been released, which requires AES-GCM ciphers. Only with a change in the config file the OpenVPN client can still connect.
e.g.
---
data-ciphers AES-128-CBC
data-ciphers-fallback AES-128-CBC
---

It is a pity that the ciphers are not unlocked under SSL VPN.
Under IPSec they are available. So it is probably a purely strategic decision by Sophos not to enable them under SSL VPN.



This thread was automatically locked due to age.
  • Hallo and welcome to the UTM Community!

    The following results in a "cipher AES-128-CBC" line in the SSL VPN config:

         

    Are you saying that "data-ciphers" is required in theSSL VPN client now instead of just "ciphers?"

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think it was a roundabout way to poke the bear as to why there is no AES-GCM cipher in their software and when it was ever going to be implemented in UTM, lol.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Getting GCM to work in SSLVPN would mean to upgrade the openvpn version, which means to upgrade and test all sub components of this module. It is not a pure apt-get upgrade - it is more likely a huge effort to do this. 

    SFOS already supports this ciphers and other further upgrade. So maybe a upgrade to SFOS would resolve your need, especially if you are a home user. 

    __________________________________________________________________________________________________________________

  • I am not a home user.
    We have OpenVPN in use on many clients.
    Instead of migrating to SFOS, I'm more likely to switch to another enterprise product. 
    The excuse of a huge effort does not apply in security products.
    It has been known since at least 2019 that the CBC Ciphers is considered vulnerable.

  • __________________________________________________________________________________________________________________

  • I think it is very poor that sophos does not present GCM on openvpn but on ipsec they do. GCM is used almost everywhere instead of cbc. We have vpn routers same age or even older as sophos utm wihich offer GCM and ctr. They are supposed to be faster and more safe as cbc. We think about changing our openssl system.