Sophos Connect using depreciated DH group?

We are going to upgrade to MR3 tonight, Will report back if we get the same behavior.

In 17.5 MR1 it is still ECP_256 (we are using 17.5 mr1 Now)

This got to be a config Flaw.

I tested the latest client with a connection to a MR3 device and it still uses MODP_1024

Upgraded to Firewall to 17.5 mr3 using the lastes Sophos Connect client 1.2.5.0202 and I get ECP_256 for DH.

Take a look on what version on the Connect client you are using, could that be the diferens?

//Rickard

I'm using the same Sophos Connect version 1.2.5.0202. Both the VPN connection profile and Open VPN log points out MODP_1024 as DH group and updating the connection profile to MODP_2048 or ECP_256 makes no difference.

Hello Anders,

I do not understand your statement "updating the connection profile to MODP_2048 or ECP_256 makes no difference". Where are you updating this? Please let me know what is getting updated and where so I can help? Also any new connection imported in Sophos Connect 1.2 will use MODP_1024. If you have not imported the connection after you upgrade to Sophos Connect 1.2 it will still negotiate ECP_256.

Ramesh

Hi Ramesh,

As part of the "troubleshooting" I tried to replace MODP_1024 in VPN connection profile Cisco_VPN.tgb.

Why would Sophos move from ECP_256 to the depreciated MODP_1024?

Anders

Hi Ramesh,

As part of the "troubleshooting" I tried to replace MODP_1024 in VPN connection profile Cisco_VPN.tgb.

Why would Sophos move from ECP_256 to the depreciated MODP_1024?

Anders

Hello Anders,

In the .tgb file you need to make this change in this line. Transforms = AES256-SHA2_256-GRP19-RSA_SIG

Similarly for Phase 2 you need to change this line. Transforms = TGBQM-ESP-AES256-SHA2_256-PFSGRP19-TUN-XF

This change will help to select the correct DH group. This is a problem with Sophos Connect 1.2 and it will be fixed in the next release and by default it will select ECP_256.

Please let me know if you have any questions.

Ramesh