Can't select own deprecated VPN IPSEC policies

Hello.

After upgrading to 17 MR1 (and again on MR2 and 3) my IPSEC connections to an old router (Zyxel SBG3300) are not working anymore!

Sophos is in "respond olny" but the issue is that, if I edit the IPSec policy I made to connect to the Zyxel years ago, it shows me that some parameters are "not reccomended because they are not secure".

The editor gives me the possibility to use them, and I can correctly save the policy but, when I want to use that policy in an IPSec connection, the polcy doesn't appear in the dropdown menu!

I need that policy, I know thay are not so secure, but I need it and I want it to be usable again in an IPSec connection.

Thanks, Mat

  • Hi Mat,

     

    when the connection type is "Respond Only" policies are only listed when in the Policy the DPD option "When Peer Unreachable" is set to disconnect.

     

    Cheers,

    Kofi

  • ...I thought you were right (you were!) but the VPN tunnel can't be estabilished at all!

    The policies are the same as before (except for the "disconnect" instead of "re-initiate" parameter as you suggested) but the "received IKE message with invalid SPI" is logged: it seems there are a lot of other posts with this problem with Sophos XG new firmware!

    Can I provide something ti help?

    Our customer is seriously thinking about changing to another appliance because of all the problems we had with Sophos concercing IPSEC VPNs, web traffic content issues, poor VPN SSL speed performance... all things that are other 100+ threads on this forums!

    Can Sophos provide really support to customers or not??? I'm disappointed.

    Thanks, Mattia Trussardi

  • Hi Mattia,

    Can you please provide me more information about the configured policy and the IPSec mode configured? Note that, an Aggressive mode with PSK (Authentication Type) is not supported for security reasons; hence, if you have configured a policy with Authentication Mode as Aggressive then you cannot see the Policy using PSK for Authentication Type.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • I have the same issue as the original Post.  I'm switching from a SG135 to the XG135.  The XG135 can't be placed into a live environment until this issue is resolved.

    firmware:   18.0.1 MR-1-Build 396

    I create the IKEv1 policy but when I go to create the ipsec VPN tunnel, the policy is listed but not selectable.  (it's in red)

    There are plenty of people out there who have devices that don't support IKEv2, so we need to be able to use IKEv1.  It's fine to give me a warning that it isn't as secure but the device should not be preventing me from using them.  Even for those clients that do have IKEv2 capable devices, appointments need to be set up to make changes.  In the mean time, the connections need to be maintained in a production environment.

    Note:  NOT using aggressive mode

  • I found that if I disable dead peer detection, the policy becomes selectable when setting up the ipsec.

     

  • Thanks Steve, had the same issue, but it worked after (disable dead peer detection)