Hardware, Installation, Up2Date, Licensing Since 9.409-8 and 9 IPSEC/Cisco VPN not working

UTM Firewall requires membership for participation - click to join

Thread Info

State Verified Answer
+1 person also asked this people also asked this
Locked Locked
Replies 5 replies
Answers 1 answer
Subscribers 6 subscribers
Views 6216 views
Users 0 members are here

Options

Suggested

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Since 9.409-8 and 9 IPSEC/Cisco VPN not working

Flip17 over 7 years ago

As other users reported in this thread https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/84536/sophos-utm-9-409-8-and-9-409-9-released/316148#pi2132219853=2

we are having the same issue using iOS based devices. The appear to connect via VPN normally but cannot access any allowed network resources.

No other changes were made other than applying the updates. They were applied back to back.

Has anyone come up with a fix?

Thanks,

Fred

This thread was automatically locked due to age.

Parents

0 HolgerLehn over 7 years ago

Hi,

there are two different ways the SHA2 hashes are truncated for L2TP / IPSec RemoteAccess VPN by various manufacturers. One way is the official RFC defined way to handle SHA2 and the other one is the GOOGLE way. In the GOOGLE way a truncation after 96 bits is happening.

If you have connections problems with a mobile device, Check the knowledge base article https://community.sophos.com/kb/en-us/125796 to get further information. Other customers have been able to solve their problem by adapting the policy ("SHA2 256" or "SHA 256 96bit" or by using the command line option.

We are working on a solution to support both ways at the same.

Greetings

Holger
Cancel
Vote Up 0 Vote Down

Cancel
+1 HolgerLehn over 7 years ago in reply to HolgerLehn

Hi,

just found out that the knowledge base article is not complete - I will organize an update of the KBA.

Please try the following commandline and report if this solves your problem.

cc change_object REF_IPsecPolicyCisco ipsec_auth_alg sha2_256_96

Thank you in advance

Regards,
Holger
Cancel
Vote Up 0 Vote Down

Cancel

Reply

+1 HolgerLehn over 7 years ago in reply to HolgerLehn

Hi,

just found out that the knowledge base article is not complete - I will organize an update of the KBA.

Please try the following commandline and report if this solves your problem.

cc change_object REF_IPsecPolicyCisco ipsec_auth_alg sha2_256_96

Thank you in advance

Regards,
Holger
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Juan Gaviria over 7 years ago in reply to HolgerLehn

Hello Holger,

The command fixed the problem for us.

Thank you
Juan Gaviria
Cancel
Vote Up 0 Vote Down

Cancel
0 twister5800 over 7 years ago in reply to HolgerLehn

Also helped here, thanks for that Holger :-)

-----

Best regards
Martin

Sophos XGS 2100 @ Home | Sophos v20 Architect
Cancel
Vote Up 0 Vote Down

Cancel
0 HolgerLehn over 7 years ago in reply to twister5800

Welcome,

a fix of the problem will be delivered with UTM 9.410. But I am glad to hear that this tweak solved your problem already.

Greetings

Holger
Cancel
Vote Up 0 Vote Down

Cancel