Can't select own deprecated VPN IPSEC policies


After upgrading to 17 MR1 (and again on MR2 and 3) my IPSEC connections to an old router (Zyxel SBG3300) are not working anymore!

Sophos is in "respond olny" but the issue is that, if I edit the IPSec policy I made to connect to the Zyxel years ago, it shows me that some parameters are "not reccomended because they are not secure".

The editor gives me the possibility to use them, and I can correctly save the policy but, when I want to use that policy in an IPSec connection, the polcy doesn't appear in the dropdown menu!

I need that policy, I know thay are not so secure, but I need it and I want it to be usable again in an IPSec connection.

Thanks, Mat

  • Hi Mattia,

    Can you please provide me more information about the configured policy and the IPSec mode configured? Note that, an Aggressive mode with PSK (Authentication Type) is not supported for security reasons; hence, if you have configured a policy with Authentication Mode as Aggressive then you cannot see the Policy using PSK for Authentication Type.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • I have the same issue as the original Post.  I'm switching from a SG135 to the XG135.  The XG135 can't be placed into a live environment until this issue is resolved.

    firmware:   18.0.1 MR-1-Build 396

    I create the IKEv1 policy but when I go to create the ipsec VPN tunnel, the policy is listed but not selectable.  (it's in red)

    There are plenty of people out there who have devices that don't support IKEv2, so we need to be able to use IKEv1.  It's fine to give me a warning that it isn't as secure but the device should not be preventing me from using them.  Even for those clients that do have IKEv2 capable devices, appointments need to be set up to make changes.  In the mean time, the connections need to be maintained in a production environment.

    Note:  NOT using aggressive mode

  • I found that if I disable dead peer detection, the policy becomes selectable when setting up the ipsec.


Reply Children