Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 13 replies
  • Subscribers 29 subscribers
  • Views 2739 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IKEv2 for remote access

Ben@Network

Hello Community, 

we are still waiting for the implementation of IKEv2 for remote access. In v18.5.1, the support has not been built in yet.

A few months ago EmmoSophos wrote that IKEv2 for remote access will be implemented. The internal ID is NC-14133, can anyone tell me if there is a schedule in the meantime?

Thanks,

Ben



This thread was automatically locked due to age.
Parents
  • 0

    This is postponed for a future release (No ETA currently). 

    Sophos is also addressing some of those use cases of IKEv2 for RA with ZTNA. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    It would be nice if Sophos finished the products that we currently pay for before diverting engineers to products that we will have to pay more for!

  • 0 in reply to JasP

    What is a finished product? In IT, there are always moving parts about technologies, new features etc. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    OK so I worded this badly. How about "when will Sophos properly support existing technologies we currently pay for before diverting engineers to products that we will have to pay more for". Is that better?

    IKEv1 is considered insecure. You are supposed to be supplying a security product. People have been requesting IKEv2 for years. It was promised in v18 and then never appeared - https://community.sophos.com/sophos-xg-firewall/f/discussions/100375/ikev2-for-remote-access-connections---when-will-it-come, quote "IKEv2 support for remote access connections is completed and will be available with the release of v18"

    Just another example of Sophos doing what it wants to do, not what customers want and need.

  • 0 in reply to JasP

    Could you give some sources about IKEv1 is insecure? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I can find articles but they are always going to be one persons post on the internet.
    I can point out that setting up an IKEv1 VPN on an Android phone will warn you that the connection is "Non-secure" (but what would Google know).
    I can point out that Android only supports DH group 2 for IKEv1 which your own XG product warns is insecure when you allow it.

    Can you find me any source that recommends using IKEv1 over IKEv2?

    Can you explain why IKEv2 was promised in v18.0 and still hasn't appeared?

    Can you explain why IKEv2 has been available since 2005 as a replacement for IKEv1 but still hasn't found its way into XG for Remote Access VPN?

    Can you explain why you felt the need to implement IKEv2 for site to site tunnels but not for Remote Access VPN?

Reply
  • 0 in reply to LuCar Toni

    I can find articles but they are always going to be one persons post on the internet.
    I can point out that setting up an IKEv1 VPN on an Android phone will warn you that the connection is "Non-secure" (but what would Google know).
    I can point out that Android only supports DH group 2 for IKEv1 which your own XG product warns is insecure when you allow it.

    Can you find me any source that recommends using IKEv1 over IKEv2?

    Can you explain why IKEv2 was promised in v18.0 and still hasn't appeared?

    Can you explain why IKEv2 has been available since 2005 as a replacement for IKEv1 but still hasn't found its way into XG for Remote Access VPN?

    Can you explain why you felt the need to implement IKEv2 for site to site tunnels but not for Remote Access VPN?

Children
  • 0 in reply to JasP

    IKEv2 should be used, if available. The Draft about IKEv1 deprecation basically talks about "it could be insecure, because it most likely is not supported". See: https://www.ietf.org/id/draft-ietf-ipsecme-ikev1-algo-to-historic-02.html

    It does not talk about recommended. But the fact, that IKEv1 is insecure, is not correct. IKEv1 can be insecure, if not patched, using insecure cipher etc. But the basic understanding of IKEv1 is still secure. There is a reason, the post above is still in Draft to this date. 

    It was not promised by any means. I cannot comment on the individual post of this person in the community, but there was not release notes nor commitment to release IKEv2 for RAS, as far as i know. 

    About IPsec as a RAS solution: If you look at the customers, using SFOS as a RAS solution, most of those customers use SSLVPN (for obvious reasons, connectivity, performance etc.). Most customers, using IPsec are fine with IKEv1. 

    The latest implementation of the vendors of products like Apple, Android, starting to rely on IKEv2 and giving advantages like Splittunnel etc. Therefore this mode became more attractive for some time now. 

    Looking at the market, it will become more interesting, which product will actually take over. ZTNA or IPsec. And from my perspective, ZTNA is by far the superior concept. Bringing a iOS, Android Client for ZTNA looks better to me than supporting IKEv2 and going back in the VPN world. But that just my understanding. 

    PS: I am not a product manager of Sophos and only commenting on my own believes. 

    __________________________________________________________________________________________________________________

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?