Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 4 subscribers
  • Views 3821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

L2TP/IPSec - Best practice Policies for late 2020 !?

mfpck

Dear all,

Due to the recent update of the ipsec cipher in Macos (11.1.x) and based on my research also on IOS and Android it looks like that the glory times are over to unify windows, android and macos clients with the built-in l2tp over ipsec.

I do only have Macos and Windows 10 Users, however I am not sure If Windows is able to deal with the required changes of the Ipsec Policies which Macos 11.1.x requires ?

Refs.

https://www.reddit.com/r/MacOSBeta/comments/ih22h9/vpn_l2tp_over_ipsec_stopped_working_after/

https://support.sophos.com/support/s/article/KB-000036559?language=en_US

https://community.sophos.com/utm-firewall/f/management-networking-logging-and-reporting/123406/unable-to-connect-through-l2tp-ipsec-via-macos-and-ios/449865#449865

https://community.sophos.com/utm-firewall/f/german-forum/123860/l2tp-ipsec-konfiguration-ios

Furthermore I double checked the default Policies which are really not 2020 /3des, sha1, etc. and because it is a very bad time to start via try and error on Remote settings (u know corona) I would like to know If there is a sophos best practice doc. for this ?

Thanks and stay safe !



This thread was automatically locked due to age.
  • 0

    Hello m f2,

    Thank you for contacting the Sophos Community!

    For L2TP-over-IPsec.

    You can use:

    Encryption = AES 128

    Authentication = SHA2 256

    DH = Group 14

    Same for Phase 2

    Encryption = AES 128

    Authentication SHA2 256 (96 bit)

    Which are actually the default policy.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel and thanks for your quick reply!

    thanks for the default settings mine are pretty old because I was using this config since Astaro...Unfortunately these settings won't work on macos11.1 and ios 14 but I changed the last setting to sha2 256 and not (96) bit and it seems to work even on windows 10 clients....

    Are there any known reason why my setting aren't a good idea ?

  • 0 in reply to mfpck

    Hallo,

    At present, the only solution I know of is to use either the Sophos Connect client with IPsec or SSL VPN Remote Access with either the Macs or the Windows devices - depends on which is easier in your situation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • +1 in reply to BAlfson

    Hey Bob,

    As I mentioned I tested the follwoing settings on Win10, Macos 10.x.x and Macos 11.x.x as well as on Ios 14 and it seem to work, no need to change the strategy !?

    Encryption = AES 128

    Authentication = SHA2 256

    DH = Group 14

    Same for Phase 2

    Encryption = AES 128

    Authentication SHA2 256 !

    Best & greets

  • 0 in reply to mfpck

    Ahhhh - prima!  I hadn't understood that from your earlier post.  This is the first time I've seen a solution here.

    Emmanuel recommended "Authentication SHA2 256 (96 bit)" in Phase 2.  Is that the same setting you have?

    Cheers - bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    SHA2 256 (96 bit)" does not work but if u change to ' sha2 256'  it works on the oses I mentioned above....

Unfiltered HTML