This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Road-warriors - L2tp over IPsec capabilities for Split dns and Split tunnelling/routing > MAC & Windows (built-in) ?

Any knowledge about that ?



This thread was automatically locked due to age.
Parents
  • Hallo,

    This is possible but very labor-intensive.  Why not use the free SSL VPN client (Windows or OpenVPN client for Mac) or a free Sophos IPsec client (Windows & Mac)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hallo,

    This is possible but very labor-intensive.  Why not use the free SSL VPN client (Windows or OpenVPN client for Mac) or a free Sophos IPsec client (Windows & Mac)?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi,

    Exactly this I'm trying to examine ;-)

    Currently I do satisfy my roadies (mac & windows) with l2tp/over ipsec using the builtin os. way and it works mostly ok.

    Due to its's legacy approach regarding, performance, overhead, encryption, not split able I think about switching to ipsec not ssl vpn at all and therefore a bunch of questions coming up:

    1. Setup Remote Access (Ipsec - UTM - for win&mac) which one ?

    Cisco or IPsec - Whats the difference ?

    2. Sophos Ipsec client mac and windows ?

    The user portal just offers the software for windows but not for mac, where do i get it ?

    3. Sophos Ipsec utm setup / ipsec client encyption and split able ?

    If I choose ipsec and there is a client for mac & windows is it then possible to use the aes-gcm gain & is it split able  ?

    Further I am very curious about the performance/latency diff between l2tp over ipsec vs ipsec with the sophos software !?

    1. Sophos IPsec client is free.
    2. https://www.avanet.com/en/kb/how-to-install-the-sophos-connect-client-on-macos/
    3. AES-128 is faster than 256.  L2TP/ipsec uses 3DES which is sloooow.

    Please let us know if Sophos Connect supports AES-128 GCM PFS:

             

    GCM uses hardware acceleration for encryption.  Makes this VERRRRY fast if your CPU can do it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    ahh- unfortunately it looks that I can't test that - see screenshot ;-(

    The link you provided refs. to Xg. but do run Sg and for the user portal what we do not use and is then only for windows, also It looks like the client user need to be admin to install the sophos ipsec client ;-( which is not and never the case and I was really not able to find normal download links for mac and windows (...).

    How to get the sohos ipsec client software for mac and windows, ideally as msi. + how to get the client ipsec settings except over the user portal to be able to create a script for mass deployment ?

    Thanks in advance for all tips and hints !

  • Ok. it looks like if I use the same key as for l2tp it seems to work.

    Also I was able ;-) to find the direct download link for the sophos ipsec clients (mac & windows) for anybody who are looking for it:

    www.sophos.com/.../utm-downloads

    Is there a way to extract or get the config file except the user portal ?

  • Ok. It seems that the sophos ipsec client does not apply gcm settings, just falls back to aes cbc- screenshots attached.