This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When (if ever) will UTM support IKEv2?

Hi all,

We use Sophos UTM V9 for a lot of things and have always been very pleased with the quality and supported features.

In the past, we also used Sophos UTM for a site to site IPSEC-VPN tunnel to a virtual network on Microsoft Azure. Not anymore though. We had to resort to another solution and vendor to get a "route based" tunnel working, which requires IKEv2. Sophos UTM still only supports IKEv1.

There are 2 feature requests related to this on the Sophos Ideas site:

The first one has been "under review" since 2009, without any updates after that. Getting support for IKEv2 in Sophos UTM does not seem to be very high on the agenda of Sophos, even though it looks like a much needed feature if you consider the amount of votes the subject has received.

I read in the news post from the 14th of September that IKEv2 support has been added to IPSEC VPN for the new XG Firewall V17, so there is at least some progress it seems.

Does anybody know if IKEv2 is also on the roadmap for Sophos UTM?



This thread was automatically locked due to age.
  • Unfortunately I don't know, but it would really be a welcome addition... I just hope it will also come to UTM soon.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I have the same problem. All appliances support IKEv2. 

    Don´t have solution for this case, only Sophos add IKEv2 in appliances.

    :-(

  • Here's a roadmap i got from a webinar earlier this year. There should be some kind of VPN changes for version 9.6 (which i have heard got delayed to next year)... I don't know if it means IKEv2 is implemented, but i sure hope so.. And Openvpn 2.4.X would be a nice welcome as well

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • Thanks for the image of the roadmap.

    IKEv2 is mentioned specifically for SFOS V17, in addition to VPN improvements later on. But yeah, let's hope that IKEv2 is included in those VPN improvements.

    I really don't want to, but a delay until next year with no certainties of IKEv2 being included is already making me consider other vendors..

  • IKEv2 is now supported on the Sophos XG firewall (not the UTM yet). Have you considered transitioning to the XG firewall?

  • what good is having IKEv2 on XG if nobody/not many want to switch over from UTM?

    If you are asking if the switch to XG was considered i'd reply that the switch to another vendor is beeing considered.

    Full price subscription on UTM means full expectations, unmet expectations means that we are paying too much (right now).

    ---

    Sophos UTM 9.3 Certified Engineer

  • Do not print this roadmap ...  Just to save paper :)

    Seriously, this roadmap have become unrealistic.

    Missing here are NTP server for XG.  And a REAL DHCP server for XG.  You cannot pretend to be a UTM without it.

    As far as all products are concern, also missing is support for TLS 1.3.

    Paul Jr

  • David, it seems that to run XG, it requires YOUR level of knowledge.  Which sorts out the majority of IT population.  Learning curve is very long - months, if not years - and in the end so much is missing. 

    Logs are inaccurate and mostly useless.  It is absolutely required to use CLI for that.

    No NTP Time server.

    No Real DHCP.  If at least we could push WEB NTP servers addresses and other info to desktops.  XG DHCP is ultra basic and pushes only IP addresses to desktops.

    IPv6 implementation is too time consuming.  We have to duplicate everything.  IPv4 and IPv6 on XG is exactly like maintaining TWO firewalls.  Two sets of firewall rules, two sets of everything.  Unworkable.

    TLS 1.3 is not on any roadmap.  TLS 1.2 has existed for more than a decade, but implemented only recently on selected Sophos products, and its implementation requires voodoo skills.

    At the pace development goes, XG will catch up with competitors in around two years.

    There is no rush to get into XGs troubles.  Particularly if one owns a stable UTM ...  Why IKEv2 was not implemented on UTM 10 years ago is unanswerable . 

    By the way I really do appreciate your Youtube videos ... Very interesting.

    Paul JR

  • I was told during my architect training, that they are rewriting the core for XG v.18.... So hopefully that fixes some of the annoyances we're facing at the moment... I have started to look around after another vendor.. our UTM license expires next summer.

    Sophos UTM 9.3 Certified Engineer
    Sophos UTM 9.3 Certified Architect
    Sophos XG v.15 Certified Engineer
    Sophos XG v.17 Certified Engineer
    Sophos XG v.17 Certified Architect

  • Hello

    I wish I had a better understanding what "the core" really is ... I understand that XG is a collection of open source software, like Strongswan, and that XG is rather a softwares interface to those modules, a reporting service to those modules and a GUI to admin and users ...

    To me, "the core" is mostly open source software to which Sophos contributes.  Just theorizing.

    Paul Jr