Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 12 replies
  • Answers 2 answers
  • Subscribers 10 subscribers
  • Views 43845 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

When (if ever) will UTM support IKEv2?

Tjalling Soldaat

Hi all,

We use Sophos UTM V9 for a lot of things and have always been very pleased with the quality and supported features.

In the past, we also used Sophos UTM for a site to site IPSEC-VPN tunnel to a virtual network on Microsoft Azure. Not anymore though. We had to resort to another solution and vendor to get a "route based" tunnel working, which requires IKEv2. Sophos UTM still only supports IKEv1.

There are 2 feature requests related to this on the Sophos Ideas site:

The first one has been "under review" since 2009, without any updates after that. Getting support for IKEv2 in Sophos UTM does not seem to be very high on the agenda of Sophos, even though it looks like a much needed feature if you consider the amount of votes the subject has received.

I read in the news post from the 14th of September that IKEv2 support has been added to IPSEC VPN for the new XG Firewall V17, so there is at least some progress it seems.

Does anybody know if IKEv2 is also on the roadmap for Sophos UTM?



This thread was automatically locked due to age.
  • 0 in reply to Big_Buck

    I think you have it right, Paul.

    My impression is that the underlying software is mostly the same in both UTM and XG.  I suspect that the Web Filtering engine in the XG is not the one that Astaro created (in V7, I think it was).  XG has a newer version of StrongSWAN and we can only hope that UTM 9.6 brings Charon as a replacement for pluto - probably bringing along IKEv2.

    WebAdmin in both the UTM and XG are just GUIs that manipulate databases of objects and settings related to the underlying programs.  In the UTM, the configuration daemon (confd) writes the actual code that does things.  I don't know whether the XG uses confd.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Big_Buck

    UTM and XG are all-in-one products.   As a buyer, you should expect that if a product tries to do everything, it will not be able to do all-of-it extremely well, but you hope that it will be able to do most of the things good enough, and that you will have enough money left over to work around the weak spots.   

    Our recent problems with regression bugs in UTM (and I think XG) should be a reminder that as a product gets more complex, it gets progressively more difficult to debug.  Asking for more features may be self-defeating.

    UTM's greatest value to my organization has been its web filter, WAF, and OTP capabilities, not its ability to be a replacement for a Cisco ASA.   If you need IKEv2 now, spend a little bit of money to put a firewall in front of your UTM.    Doing so will actually simplify your UTM configuration.

    Considering how long it has been since IKEv2 was standardized and requested by Astaro users, and considering the obvious Sophos marketing direction from UTM to XG for new sales, I would not recommend creating a corporate security plan based on having IKEv2 in UTM soon.   Maybe it will happen, maybe not.   Maybe the first release will meet your performance and reliability expectations, maybe not.   

    Don't let your security needs be held captive to Sophos' development priorities.   At the same time, don't assume that you need to find an all-in-one solution from somebody else to replace the all-in-one solution from Sophos that left you disappointed.   To do it all extremely well, you probably need multiple products from multiple vendors.

Unfiltered HTML