Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 29 subscribers
  • Views 1395 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec Pre-ShareKey Sync with Sophos Connect

Anthony Belliot

Hi,

We had found this issue:
- when we change the pre-shared key on any Ipsec vpn tunnel, the firewall change also the Sophos Connect IPSec Pre-sharekey as identitically, that cause that users cannot connect with sophos connect.
- we need to reapply the correct pre-shared key on the Sophos COnnect

The problem was present on 17.5.14 and also on 18.0.5 MR5 (we have just update these week and we have the same bug)



This thread was automatically locked due to age.
Parents
  • 0

    Sophos Connect and all Ipsec Tunnels, which have "gateway * (Wildcard) share the same PSK. Do you have a IPsec site to site tunnel with a Wildcard? 

  • 0 in reply to LuCar Toni

    that is impressive - this can (or already does) lead to a massive pain in the ...

    I'd never expect this if I change PSK for a tunnel that I instantly ban all IPSec clients.

  • 0 in reply to LHerzog

    This is in the product for years. 

    The point is, XG cannot difference between a remote client and a Ipsec tunnel, if you start to use remote gateways with *. 

    IPsec site to site should use a explicit remote gateway to know, which PSK, RSA, Cert should be used. 

    Products like UTM use a selfmade "solution" for this challenge called "PSK Probing": The Ipsec module will simply "try all PSKs". This works fine for 3 tunnels but can easily reach the limitation with multiple tunnels.

    The best solution for this is to implement a Identifier for this. This is on the to do list for the future, to consider the Tunnel identifier for each tunnel. 

Reply
  • 0 in reply to LHerzog

    This is in the product for years. 

    The point is, XG cannot difference between a remote client and a Ipsec tunnel, if you start to use remote gateways with *. 

    IPsec site to site should use a explicit remote gateway to know, which PSK, RSA, Cert should be used. 

    Products like UTM use a selfmade "solution" for this challenge called "PSK Probing": The Ipsec module will simply "try all PSKs". This works fine for 3 tunnels but can easily reach the limitation with multiple tunnels.

    The best solution for this is to implement a Identifier for this. This is on the to do list for the future, to consider the Tunnel identifier for each tunnel. 

Children