Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 10 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 1896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Connect 2.1 Supported Protocols

JasP

Is this documented anywhere because I can't find anything?

In particular, I'm interested in what DH Groups, Encryption and Authentication protocols are supported in Sophos Coonect 2.1 for IPsec and SSL VPN connections.



This thread was automatically locked due to age.
Parents
  • 0

    Hi : Sophos connection VPN getting used for IPSec Remote access which uses "DefaultRemoteAccess" policy and as of now we may consider those policy parameters as in supported by Sophos connect 2.1.



    For SSL VPN supported cryptographic is available in XG as per below and these are the supported ones in Sophos connect. Here in drop-down others are there, snapshot is for reference to get navigation or options details.

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to Vishal_R

    It's a bit of a 'Sophos answer'!

    If we have Sophos Connect installed and want to also use it to connect to a non-Sophos endpoint it would be useful to know what protocols it supported so we don't have to play 'trial and error',especially where the endpoint may not be under our control. We don't really want to install a separate VPN client and deal with any issues that may cause if possible.

    Are you saying that Sophos Connect only supports those protocols in the DefaultRemoteAccess policy?

  • 0 in reply to JasP

    So you want to use Sophos Connect to connect to a VPN peer? 

    You could simply check, what the current solution negotiate with a Sophos Solution and map this to the other solution. 

    SSLVPN: 

    Or IPsec:

    "proposals" : [
    "aes256-sha2_256-modp2048"

    __________________________________________________________________________________________________________________

  • +1 in reply to JasP

    Hi : With V19 one can select "Custom policy for IPSEC RA".

    Sophos Firewall: What's new in v19

    https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/m/files/9519

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support
    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • 0 in reply to LuCar Toni

    You've illustrated exactly my point ! SHA512 is not part of the XG Default Profile so how do I know Sophos Connect supports it?

    Also, the whole nature of connecting to third party solutions is you don't control the configuration of the third party. You will be told what is supported and told to configure to match. Without a list of protocols that are supported by Sophos Connect, it just becomes trial and error to see if it works but if it fails you can't be sure if it isn't another issue like firewalls blocking something.

    I really thought this would be a simple question. I can't imagine any other VPN client that doesn't list what protocols it supports. Sophos doesn't seem to want to tell us that (it's like drawing teeth!)

  • 0 in reply to Vishal_R

    https://community.sophos.com/sophos-xg-firewall/sfos-v19-early-access-program/m/files/9519 - Actually this is exactly where I started with this question.

    I wanted to use Sophos Connect with AES-GCM but it didn't work, hence the question "Sophos Connect 2.1 Supported Protocols". I simply wanted to know if AES-GCM was supported, in case it was supported but I had made some other error or tried a combination of protocols that weren't supported.

    You've got DH Group, Encryption and Authentication and sometimes finding a supported combination is tricky. Further complicating this is the fact that sometimes the supported protocols are different for Phase 1 and Phase 2. That's why vendors list what protocols are supported by their VPN clients. Apparently though, this is a Sophos secret!

  • +1 in reply to JasP

    It is not. It simply did not came up in the recent Months/years. 

    But do not confuse SSLVPN and IPsec. 

    There are differences in the methods and the supported techniques to use both. 

    IPsec uses IKEv1. 

    SSLVPN uses OpenVPN. 

    In theory, you could simply look up the supported cipher by the Sophos Connect by looking up the versions used by SC. 

    https://community.openvpn.net/openvpn/wiki/CipherNegotiation

    For Strongswan it is not easy to find this. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites

    __________________________________________________________________________________________________________________

Reply Children
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?