This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Since 9.409-8 and 9 IPSEC/Cisco VPN not working

As other users reported in this thread https://community.sophos.com/products/unified-threat-management/f/hardware-installation-up2date-licensing/84536/sophos-utm-9-409-8-and-9-409-9-released/316148#pi2132219853=2

we are having the same issue using iOS based devices. The appear to connect via VPN normally but cannot access any allowed network resources.

No other changes were made other than applying the updates. They were applied back to back.

Has anyone come up with a fix?

Thanks,

Fred



This thread was automatically locked due to age.
Parents
  • Hi,

    there are two different ways the SHA2 hashes are truncated for L2TP / IPSec RemoteAccess VPN by various manufacturers. One way is the official RFC defined way to handle SHA2 and the other one is the GOOGLE way. In the GOOGLE way a truncation after 96 bits is happening.

    If you have connections problems with a mobile device, Check the knowledge base article https://community.sophos.com/kb/en-us/125796 to get further information. Other customers have been able to solve their problem by adapting the policy ("SHA2 256" or "SHA 256 96bit" or by using the command line option.

    We are working on a solution to support both ways at the same.

    Greetings

    Holger

  • Hi,

    just found out that the knowledge base article is not complete - I will organize an update of the KBA.

    Please try the following commandline and report if this solves your problem.

            cc change_object REF_IPsecPolicyCisco ipsec_auth_alg sha2_256_96

    Thank you in advance

    Regards,
    Holger

Reply
  • Hi,

    just found out that the knowledge base article is not complete - I will organize an update of the KBA.

    Please try the following commandline and report if this solves your problem.

            cc change_object REF_IPsecPolicyCisco ipsec_auth_alg sha2_256_96

    Thank you in advance

    Regards,
    Holger

Children