This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG L2TP over IPsec AES256 and SHA2 256 issues

I have been trying to get a Sophos XG 125 vpn server configured to work like another Sophos UTM running UTM 9 but I seem to be running into issues with the IPsec policy encryption and authentication methods. I'd like to use only AES/SHA2 256 with DH14 like the UTM9 does but when I do, the only client that works is iOS14. Windows 10 and Mac OS 10.15 using their built in VPN clients don't connect at all. To get the Windows 10 and Catalina Mac to connect I have to use encryption which the XG warns is potentially insecure.

Why am I able to use DH14 and AES/SHA2 256 on the UTM 9 but Windows 10 and Mac running Catalina don't work at all on the XG running 18.0.4 with the same IPsec policy?

This thread was automatically locked due to age.

Parents

0 FormerMember over 4 years ago
Hi CSC1,

Thanks for reaching out to the Community!

Try to configure the L2TP policy as suggested on the following community thread, and let us know if that helps:

https://community.sophos.com/intercept-x-endpoint/f/discussions/124067/sophos-and-big-sur-upgrade

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 CSC1 over 4 years ago in reply to FormerMember

Thanks for the reply. Unfortunately I saw this and already copied it but with the same result. I'm also curious if the fact that the shown configuration uses duplicate encryption methods might be a clue. When I matched these settings I get an error that there are duplicates and it won't allow me to save until I delete the second AES256 batch from phase 1 and 2. It could be an issue with my DH group setting though so do you know what those two selections should be?
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 4 years ago in reply to CSC1

Hi CSC1,

The selected DH groups are 2 and 14.

Thanks,
Cancel
Vote Up 0 Vote Down

Cancel
0 CSC1 over 4 years ago in reply to FormerMember

I tried it again and as I said I can't get two sets of AES256 and SHA2 256 as shown in the image but with one set of them and the AES128 and SHA2 256, Windows and Mac OS 10.15 no longer are able to connect at all.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 CSC1 over 4 years ago in reply to FormerMember

I tried it again and as I said I can't get two sets of AES256 and SHA2 256 as shown in the image but with one set of them and the AES128 and SHA2 256, Windows and Mac OS 10.15 no longer are able to connect at all.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data