Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 904 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec between XG and SG - question about KB000036746 - really 128bit and MD5?

LHerzog

Hi,

I have a question about Sophos KB 000036746

I received this link from support in case 03251728 without any more information.

Are the shown and red marked settings on XG policy really required in this way or is it just an example? I ask because there is any information written why this or that settings has to be made.

Several settings there are shown as insecure and if I see 128bit and MD5 I must ask if these outdated settings are really sophos recommended and/or required.

Target machine of the XG is a up 2 date SG on 9.705-3.

Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    Hello LHerzog,

    Thank you for contacting the Sophos Community!

    I have sent an email to the KB team requesting to update the settings to more secure ones.

    If the XG is the initiator, you could try going to DH 14 for phase 1 and Sha2 256 for Phase Authentication.

    Regards,

Reply
  • 0

    Hello LHerzog,

    Thank you for contacting the Sophos Community!

    I have sent an email to the KB team requesting to update the settings to more secure ones.

    If the XG is the initiator, you could try going to DH 14 for phase 1 and Sha2 256 for Phase Authentication.

    Regards,

Children
  • 0 in reply to emmosophos

    Thank you emmosophos for forwarding this request.

    I have to admit that I find it strange, that Sophos has no tested and up-2-date documentation about the most secure VPN settings between their own Firewalls and that the suggestion to the end user is to test this or try that setting. There should be a secure and safe setting that works and is supported.

    IPsec is a basic and very common scenario, with only few if not any special dependies in the end users environment, I guess.